Slashdot Mirror

← Back to Stories (view on slashdot.org)

DDoS Attacks Via DNS Recursion

Posted by ryuzaki0 on from the to-understand-recursion-you-must-understand-recursion dept.

JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"

8 of 192 comments (clear)

  1. Re:djbdns by PaisteUser · · Score: 5, Informative

    It's not that difficult to make BIND9 not respond to recursive queries, add "recursion no;" to the "options {};" section of the named.conf file, reload the config and your good to go.

    --
    root@allevil:~#
  2. Disable recursion in BIND by Ponga · · Score: 5, Informative

    Put this line in your zone definition:
    recursion no;

    Problem solved.

  3. Re:I must resist by AKAImBatman · · Score: 5, Informative

    That's self-referential, not recursive. One does not immediately imply the other. GNU, on the other hand, is recursive.

    --
    Javascript + Nintendo DSi = DSiCade
  4. Re:Could someone explain how the attack works? by Anonymous Coward · · Score: 5, Informative

    No compromise needed. You just send requests to the DNS server spoofing yourself as the victim's IP. (UDP is much easier to spoof, and can be sent out very quickly.) The replies, which are some 30 times larger than the requests, get sent to the spoofed IP (victim). It is a classic form of amplification attack.

  5. Re:Could someone explain how the attack works? by LurkerXXX · · Score: 5, Informative
    Then you don't understand DNS resolvers. Did you bother reading the linked site? All you need to do is query an open resolver with some domain you set up (ex my.span.com), then change the authoritiative DNS of your registered domain as the target open DNS resolver. Now whenever someone anywhere in the world queries for my.spam.com, it hits your DNS server (until their local server caches it). It looks like you are hosting the spammer.

    Another problem:
    (Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.

    So with a dialup account, it would be possible to saturate a T1.

    There's plenty of ways for them to mess with you without any 'compromised' machines on your network.

  6. Fixing bind9 by pjkundert · · Score: 5, Informative
    If you run an internet facing bind9 DNS server, you may want to allow recursion (caching) to your internal clients, while continuing to serve DNS requests to external clients for your domains (those for which you are "authoritative").

    Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):

    options { allow-query { any; }; allow-recursion { 192.168.0.0/24; 192.168.1.0/24; localhost; }; ...
    --
    -- -pjk Perry Kundert perry@kundert.ca http://kundert.2y.net
  7. Re:djbdns by Russ+Nelson · · Score: 5, Funny

    You have a correct configuration. You gain 2 skill points.

    --
    Don't piss off The Angry Economist
  8. Re:When BIND is fixed I'll implement it by 19thNervousBreakdown · · Score: 5, Informative

    view "internal" {
      match-clients {
        10.0.0.0/8;
      };
      recursion yes;
      zone "example.com" {
        yadda yadda yadda;
      };
    };

    view "external" {
      match-clients {
        any;
      };
      recursion no;
      zone "example.com" {
        blah blah blah;
      };
    };

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>