DDoS Attacks Via DNS Recursion

JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"

Doctor, it hurts when I go like this

[$RANDOMLUSER]

> 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

OK, don't do that then.

That's by Berenstain?

[Philip+K+Dickhead]

With his weird license? God. He writes good software. He's even a bloody certified genius, but he's amost as insufferable as Dave Weiner. Don't try and submit a patch - unless you are just donating to his case, and want nothing as a contributor. Also, be prepared for the contempt of his responses.

Besides, who wants software written by a cartoon bear?

Re:Why do you think you need a license?

[Russ+Nelson]

Yeah, but we're not talking about copying which falls under fair use. Incorporating a copy of code into a unidiff patch would be fair use (commentary). Making a copy of a djb subroutine for pedantic purposes ("see how he does this") would be fair use. Making a copy of code which is no longer for sale and cannot be purchased for any reasonable price might be fair use. Making a copy of code which is freely downloadable elsewhere -- even if you use it to create a derived work -- is almost certainly not fair use. Fair use always ends up being a judgment call on part of a judge. You'd always prefer not to have to rely on fair use.

Re:Could someone explain how the attack works?

[Cramer]

That's "another compromise"... IP Spoofing hasn't a f***ing thing to do with DNS recursion. One can just as easily spoof your address in a non-recursive request.

Re:djbdns

[speculatrix]

I used to work for a company which bought one of the oldest ISPs in the UK, and inherited their venerable antique set of sparc servers.

There was a server (named after a famous London landmark), which did DNS serving and also resolving, and was open to the whole internet (which, admittedly, wasn't too big). When customers moved away, they continued to use it for resolving. When the server was finally shut down in, errm, 1999 (wasn't the Y2k bug a marvellous excuse to get rid of services noone wanted to maintain anymore?!), we sniffed the network and there were still people using it. The network block was reallocated for other purposes, and even two+ years on there were still steady numbers of DNS resolving requests.

We also had separate resolvers and name servers, and we put up big announcements for months that name servers were going to lose recursion (because reloading the servers was taking longer and longer and people complained about slow resolving), and yet there were die-hards who held out until rebutted customer complaints made them fix things. We guessed these customers, basically, had had someone set things up, the person resigned/died/was fired/kidnapped by aliens from redmon/ and they had no clue how anything worked any more.

So, yes, changing the default behaviour of DNS servers to not resolve can cause problems.

Oh yeah, one final thing. When I started work at that ISP in the mid nineties, 20-25% of customers ran windows, the rest ran some form of unix; the windows users "ate" 80%+ of support. When I left three years later the windows users were 60-70% of customers, and the number of support staff grew to accomodate the cluelessness.