Forgot your password?
typodupeerror
Networking Security Technology

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks 179

Posted by Unknown Lamer
from the check-your-sources dept.
msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success." Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
This discussion has been archived. No new comments can be posted.

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

Comments Filter:
  • by Anonymous Coward on Thursday March 28, 2013 @05:08PM (#43306781)

    Yep. Had BCP38 (Best Current Practice No. 38) [ietf.org] been in effect at those ISP's, this attack would not have occurred.

  • by LordLimecat (1103839) on Thursday March 28, 2013 @06:02PM (#43307209)

    A DNS server has no way of verifying whether the source address is valid. Only the ISP who provides access to the originator of the traffic can do that.

  • by LordLimecat (1103839) on Thursday March 28, 2013 @06:06PM (#43307245)

    Because the DNS servers are doing nothing wrong.

    The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.

    All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.

  • by Shoten (260439) on Thursday March 28, 2013 @06:38PM (#43307469)

    Because the DNS servers are doing nothing wrong.

    The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.

    All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.

    Actually, they are. The feature being leveraged here is that the servers are performing recursive lookups for domains that they do not control for the open Internet; BIND turns this off, by default, starting with version 9.4. The problem is that a lot of 9.3.X and older DNS servers are still out there, as well as a lot of bad network architecture jobs. The servers should only handle recursion for IP addresses that are on the inside. And as for the spoofing? Well, ingress filtering is trivial to do at the border. And these two things in concert shut this problem down entirely.

  • Re:By Design (Score:2, Informative)

    by Anonymous Coward on Thursday March 28, 2013 @07:18PM (#43307741)
    There is no way that DNS over UDP can verify a source address. The solution is that all ISPs drop traffic with invalid source addresses before it leaves their network.

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Working...