Slashdot Mirror

← Back to Stories (view on slashdot.org)

DDoS Attacks Via DNS Recursion

Posted by ryuzaki0 on from the to-understand-recursion-you-must-understand-recursion dept.

JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"

9 of 192 comments (clear)

  1. Could someone explain how the attack works? by defile · · Score: 1, Interesting

    From what I understand of DNS resolvers, this attack can't work unless there's another compromise at play here. Either a compromise of one of the victim host's zones, or a compromise of the servers hosting the open resolvers themselves.

  2. That's a bold statement by fak3r · · Score: 2, Interesting

    having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

    Anyone want to discuss how DNS Cache addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?

    --
    fak3r.com
  3. Re:djbdns by eln · · Score: 2, Interesting

    I'm a big fan of DJB's software, and I use most of it regularly. However, if you've ever actually looked at his code, you might decide having the ability to look at his code is a negative for everyone except for maybe the ibuprofen industry.

  4. Re:I love djbdns by Russ+Nelson · · Score: 2, Interesting

    When is a spade not a spade? If someone engages in puerile activity, don't they deserve a puerile name? djb (the old djb, anyway)'s biggest problem is that he didn't give people the truth gently. He would tell people "That's stupid, and you're being stupid for proposing it." The best djb quip I ever heard was:

    djbwm - it's the best window manager in the world, but when you try to move a window, it argues with you for ten minutes that it was already in the right place.

    --
    Don't piss off The Angry Economist
  5. Re:djbdns by Perl-Pusher · · Score: 3, Interesting

    I have 3 dns servers are NAT'd on the private lan and allow recursion, the public one outside doesn't. I'm not a DNS expert but I haven't had any issues from users or attacks.

  6. When BIND is fixed I'll implement it by jmorris42 · · Score: 1, Interesting

    There really isn't a good reason one nameserver can't serve internal and external users. All that is needed is recursive lookups need to be restricted to the internal IP space. It doesn't look like BIND can currently do that but I suspect that if this problem is really serious it will quickly gain the ability.

    Some of us don't like the idea of maintaining more servers than are absolutely required, this looks like a pretty bogus reason to install another set of nameservers.

    --
    Democrat delenda est
    1. Re:When BIND is fixed I'll implement it by jmorris42 · · Score: 2, Interesting

      > In Bind9 you don't have to return cached data, so though it happens by default you can
      > turn it off ("additional-from-cache"):

      Excellent. The commentary on the aite with the original article didn't seem to know about that trick. So now I just need to make sure I have wrapped my head around all of the details and start making the changes. Going to be a bit of bother this way but managable. Installing another pair of nameservers was right out, this way is doable.

      --
      Democrat delenda est
  7. StormPay: A recent example of this attack by miller60 · · Score: 2, Interesting
    The credit card processing gateway StormPay was knocked offline by this type of DNS amplification last month. The traffic peaked above 6 gigabits per second, and continued for weeks.

    As previous posters have noted, these attacks have become more frequent in recent months, prompting an advisory from US-CERT (PDF) in December. It's a hot topic on several security lists, and a special focus of SecuriTeam blogger Gadi Evron.

    --
    RichM
    Data Center Knowledge
  8. Re:Of course there is... by inKubus · · Score: 2, Interesting

    Yeah, there's a checkbox to disable all recursion in Windows Server DNS, under DNS > Forwarders and Advanced tabs.

    The problem is doing the cache for internal hosts (or an internal interface) and running zone authority for external (internet) users on one server. Apparently it's not possible using the built in configuration tool. There's probably a registry key which determines which interface will forward or not, around here: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Cu rrentVersion\DNS Server
    It may be possible to get another instance running on a different interface also..

    Until then, you need two hosts in Windows, with one not allowing recursion on the outside or DMZd/NATd and one local cache/forwardder box inside. Thanx MS

    --
    Cool! Amazing Toys.