Slashdot Mirror
Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks
msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success."
Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
In before the fight between those two guys and their walls of text...
Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
One has to wonder if this is caused by negligence, or if it's more a case of "oopsie, we left this door open, oh well" - which would be a great way to set up nodes around the 'net specifically to allow these types of attacks to occur.
Not saying that is right or wrong - asking a genuine question.
Peace,
Andy.
Why are they not sending out emails to the people running these things.
Check which domains these servers are authoritative for and send them a damn email.
Never even noticed until I ran Ethereal for an unrelated problem, and was like, "What is all this shit?"
Sorry about that.
The rate was slow enough that it never made a dent in the bandwidth usage. They must keep it throttled down but have a massive number of servers in parallel.
It claims that the problem is DNS resolvers that don't authenticate the sender's IP address using BCP38. It is comparing chalk and cheese. Filtering out spoofed IP addresses is something that needs to happen at the edge of the network. It's not something that a single server on the network can do.
I see that the Open Resolver Project has a tool to scan for offending servers in your IP space, but it doesn't explain what the results indicate. I'm guessing that an RCODE value of 0 means you're not part of the problem?
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Repeatedly post the same story.
I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake
http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
If an experiment works, something has gone wrong.
Are there any routers that will ever talk to that range of IP addresses ever again, other than the ones run by a2b-internet.com?
Have the SWAT team bust down their door and hall their asses to jail. Seriously, this is rediculous. Hacking into someone elses servers is a sevre crime the last time I looked and there is ample evidence from OpenDNS who does not even have to file charges.
Otherwise you are showing the Russian Mobfia and others they are not accountable to their actions and can do whatever the hell they want. I wish more arrests would be made. Shutting down and arresting cyberpunk officers would be a great start. After all they got KimDotCom and he didn't do damage. I have noticed youtube is barely working with syncing issues and I am on fios which is no doubt related as Google admits they trying to absorb the punch so the internet doesn't get knocked out
http://saveie6.com/
Maybe this is over my head. But how would one rung a "safe" DNS server then? My interpretation of the article basically says to let only specific people use your DNS server, but then how would a company run a public resolver?
For example, Google runs open public name servers on 8.8.8.8 and 8.8.4.4, same with OpenDNS, and many, many more. What is to stop those servers from being used in this sort of attack? Is this article really advocating a situation where you MUST use only your own ISP's resolver and trust them not to do what so many of them consistently do and mess with the results?
Or am I completely missing the point to this article?
than the users that get their computers infected with botnets and spew spam. These people are supposed to know what they're doing.
Take away their Geek Card, and then suspend their internet license ;)
I work for the Department of Redundancy Department.
http://www.theregister.co.uk/2013/03/28/spamhaus_mega_ddos_little_collateral_damage/
Maybe this is over my head. But how would one rung a "safe" DNS server then? My interpretation of the article basically says to let only specific people use your DNS server, but then how would a company run a public resolver?
For example, Google runs open public name servers on 8.8.8.8 and 8.8.4.4, same with OpenDNS, and many, many more. What is to stop those servers from being used in this sort of attack? Is this article really advocating a situation where you MUST use only your own ISP's resolver and trust them not to do what so many of them consistently do and mess with the results?
Or am I completely missing the point to this article?
Two different things. If you are running a DNS server yourself, for your own domain then you should only respond to requests for your domain from the outside. IE - Non-recursive. The only answers you serve are for those queries you are authoritative for. You only accept recursive queries from inside your own network. Those are the recursive ones.
Public servers would use rate-limiting to to protect against being effective in spoofed attacks.
DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.
Now compound the above with the fact that neither of the two most widely used DNS servers on the planet, BIND and MicrosoftDNS(That's right Bernstein fans so STFU.), check requesting source address validity. It's not in the spec, so why should they?
This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.
Or am I completely missing the point to this article?
Yes.
It's talking about spoofed requests - much like if someone sent a request for more information to a Scientology center, and they put your return address on the form. Suddenly you're getting very creepy mail from the Scientologists and you have no idea where it came from. If they do it enough times to enough organizations, and your mailbox is full, and your Netflix Blu-ray of Tootsie is deferred until you can clean out your mailbox.
The problem is that almost no one actually needs to run a public resolver.
Your ISP provides a DNS server to you that is recursive (usually), so they can use ACLs to make sure only their clients are using them.
Domain owners provide DNS servers that are authoritative, but only for their own domain, so it limits the scope of the problem as well.
The problem is when domain owners provide DNS servers authoritative for their domain, but -also- allowing other people to use them as public recursive servers. There's usually no reason for this other than the server administrator's competence.
There are legit uses for open recursors, you mention Google DNS and OpenDNS as an example. These guys have to use rate limiting and defeat the attacks themselves, there's no easy solution.
The kind of traffic it generated could practically disconnect entire countries from internet, and is still open to whatever with the right resources to use it, What kind of measures can be taken to prevent it? To have as DNS mirrors several with really big bandwidth?
"If you are running a DNS server yourself, for your own domain then you should only respond to requests for your domain from the outside."
This can be used for DDOS, right?
To reply myself... no it can't, it's non..recursive..
Two other different things...
1) ISPs could drop out-going tcp and udp packets on port 53 from all their IP address except their own DNS servers. That would stop their customers from using public DNS server outside their networks. But it would also stop this kind of attack.
2) Drop all outgoing traffic that has a spoofed source IP address. This is a very simple bit mask operation. Yes, it requires more compute power than not doing it, but not very much. The ISPs know what IP addresses they own, they can very easily prevent spoofed traffic from leaving their networks, effectively stopping this kind of attack, as well as other types of hacking. At the same time, it would still allow legitimate use of public DNS servers.
OpenDNS is a DNS service, whereas "open dns servers" were abused - but not at OpenDNS...
Nobody from Cyberbunker will go to jail for it most likely and they SHOULD go to jail....
To reply myself... no it can't, it's non..recursive..
Um, not exactly... You an have an authoritative non-recursive DNS server that gives large responses to questions used in an amplification attack...
'dig a www.authoritative.domain @authortative.domain.ip'
RESPONSE = 1000+ bytes follows...
Sure it could. If it is (mis)configured to allow a zone transfer, you could have a bot net send it zone transfer requests for your own domain with the source ip address spoofed to be your target. A little more complex setup than a recursive request, but you still some get good amplification. Do that on thousands or millions of DNS servers that aren't recursive, but allow zone transfers, and you still get a DDOS attack with very little input traffic. You could also do it on root servers (or any recursive server) by asking for MX records on a domain that has a bunch of MX records, like big ISPs. Not as much amplification as a zone transfer, but still some.
So really the only way to stop it is for ISPs to just stop traffic with spoofed source addresses from leaving their networks.
#2 is the right answer, be responsible for the traffic on your network.
#1 is the wrong answer. Too many ISPs fuck with DNS by returning IP addresses to advertizing domains instead of NXDOMAIN.
Why not? sure, it would be more difficult as each request would have to be tailored to the DNS server it's using, but the same principle should apply, spoof the source address, request information (in this case something within the domain being hosted) and let the larger reply go to the spoofed (victim's) address.
The only thing preventing this is that it's more work than the easier current method of being able to send the same request to every name server, but there's no reason it couldn't still be done.
1) would be REALLY bad, and I hate anyone who would even consider such a solution.
2) I can't imagine why every ISP and transit provider doesn't already do this. This has been a known problem for over a decade, deal with it already!
You're confirming that I understood the article perfectly. The problem is in their choice of solution.
It seems there are 2 possible solutions.
1) get ISPs and transit providers to actually start blocking IP spoofing (something they all should have been doing years ago)
2) break the internet by banning all public resolvers.
Unfortunately the article seems to me to be advocating for number 2, which would harm many people, and just cause the attackers to continue to use IP spoofing on different services or protocols.
Fix number 1 and you fix a lot. implement number 2, and you delay the issue by a few days while the attackers work around it.
It could, but only if they knew what domain your server was authoritative for when they picked your DNS server at random.
Your server would also have to be able to cough up a pretty big response to make it worthwhile.
If I have been able to see further than others, it is because I bought a pair of binoculars.
forgive my ignorance but the only Open DNS that I know of is http://www.opendns.com. I wonder if the article is talking about opendns.com. I didn't see any news releases on their website.
You simply configure your DNS server properly, including setting the networks it's allowed to resolve for. A nameserver can be both authoritative for certain domains globally, and also be recursive for specific hosts.
Of course, there's also the problem of DNS amplification using source address spoofing by requesting authoritative DNS records, but simply doing the above greatly mitigates the effectiveness of the attack.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Why is Cyberbunker judged to be an "illicit webhost" by Threat post? If corporations are people, isn't that defamation of character?
Also, one has to wonder if it's negligence by the person installing the resolver, or by the person distributing the resolver.
What are the default values for source address verification and rate limiting? If having them both disabled is a problem, at least ONE of them should be on by default, requiring it to be explicitly DISabled by the user, and the config file should have a warning about WHY it's on/even there.
If the default configuration is vulnerable you can't expect a whole user population to ALL figure out ALL the fine details and tweak the configuration into safety the FIRST TIME and EVERY TIME. It should be safe (if crippled) out of the box and a warning obvious during the process of changing it to be less safe.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
And how many of these 200 + comments were appropriate to a story unrelated to hostfiles?
That was an internal dispute between the Allied Southern APK Schism and the Second Western APK Heresy. It was a private matter but unfortunately tempers reached a boiling point and things spilled over into public view. The New Central APK Orthodoxy stepped in a few days later & now everybody's back on civil terms. Don't post shit when you don't know a damn thing about APK culture and governmental structure.
I've been monitoring these threads so much that I've started recognizing repeat visitors. I dub you "LHC Guy".
One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. TANSTAAFL
MaraDNS is an open-source DNS server.
Makes no difference. BOTH of you should be forced to use a cholla cactus as a butt-plug.
Sure it could. If it is (mis)configured to allow a zone transfer, you could have a bot net send it zone transfer requests for your own domain with the source ip address spoofed to be your target. A little more complex setup than a recursive request, but you still some get good amplification.
You're less likely to do this by accident. Besides, a spoofed zone transfer will almost always fail on the TCP three-way handshake step.
Two other different things...
1) ISPs could drop out-going tcp and udp packets on port 53 from all their IP address except their own DNS servers. That would stop their customers from using public DNS server outside their networks. But it would also stop this kind of attack.
It would also have a high collateral cost: diagnosing many DNS issues becomes impossible when you can only work with one recursive resolver (which may be what is causing the DNS issues!) It is necessary to access legitimate open resolvers and authoritative servers on any kind of Internet connection, even residential broadband (don't think of grandma but think of the tech helping grandma).
In short, we *need* TCP and UDP port 53 traffic unfiltered.
2) Drop all outgoing traffic that has a spoofed source IP address. This is a very simple bit mask operation. Yes, it requires more compute power than not doing it, but not very much. The ISPs know what IP addresses they own, they can very easily prevent spoofed traffic from leaving their networks, effectively stopping this kind of attack, as well as other types of hacking. At the same time, it would still allow legitimate use of public DNS servers.
This is what we need more of. Provided, of course, that it isn't applied in situations where it breaks things, but in those cases the customer is hopefully smart enough to implement their own filtering.
I posted that link twice a couple days ago, seeing if some of these posts were from the real APK or not, as he's usually so easy to troll with such things. Looks like some other boring imposter instead. But it is nice others have noticed and carried the flag on. Although I think it is a waste of time until the real APK shows up again. We are Legion... we are "LHC Guy."
Let's say I want to run a public DNS recursive server, that is, I want to allow anyone to issue a handful of queries for any arbitrary DNS records, and in addition to just serving up my own, I want to also service requests for whatever arbitrary thing they requested. Is there an easy way to rate limit these queries based on source IP address, to prevent abuse of this service I've chosen to offer?
How should one set that up?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
The statement that implied DNS servers can implement this is bunk. However BCP38 is the fix. The attack would have been impossible without spoofed IP source addresses.
An application/reflection denial of service attack is actually possible with SNMP and several other protocols. Even if all of the DNS servers were closed this attack could happen.
I wouldn't be surprised if that is APK trying to draw attention to himself, since he thinks such endless tirades are examples of him winning and make him look good. When people stop paying attention to him, or post actual counterpoints he can't come up with a response to, he'll post strawman troll postings to shoot down, sometimes just copy pasted from previous stories.
For sake of argument assume you are able to snap your fingers and miraculously all open resolvers have been locked down. What has been accomplished?
Will anyone still be able to issue legitimate DNS queries using forged source address with impunity for which response is several times larger than request? YES.
Will DNSSEC with egregiously enormous amplification when configured entire as recommended simply go away? A man can dream. I doubt this will come to fruition.
The way I see it there are two solutions to this problem. BOTH need to be implemented.
1. Ingres filtering (AKA tools.ietf.org/html/bcp38) as TFA and many others here point out needs to be implemented with enough specificity to meaningfully raise the bar for successful source address spoofing.
2. All UDP protocols allowing amplification or resource exhaustion from spoofed source addresses need to be beaten with a clue stick for making the Internet worse than need be. There is NO EXCUSE.
It does not need to be perfect it only needs to not suck more than the underlying network.
We know how to do this. There are production protocols which get it right. The answer is stateless cookies. It might require an extra round trip once in a blue moon or a few extra CPU cycles to calculate HMACs... we can easily afford it.
In return we get UDP protocols at least as trustworthy as underlying transport. Protocols which can no longer be turned into weapons of mass deluge.
For DNS we have had reasonable solutions for years...yet we sit on our hands and nothing gets done...
http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03
This can easily be phased in conjunction with DNS query rate limiting applicable for requests without cookies.
It seems to me all the money and political interest follow fools errands like DNSSEC which paradoxically makes the Internet we actually have right now less safe from denial of service.
Maybe this is over my head. But how would one rung a "safe" DNS server then? My interpretation of the article basically says to let only specific people use your DNS server, but then how would a company run a public resolver?
The problem is one of degree. The theory is if you don't offer a recursive resolver to the public amount of amplified output you get for your input is diminished over running a resolver that would respond to just whatever your authoratitive for.
Personally I don't buy much into this theory. There are enough ways to request an earfull from enough properly configured servers we can find much more effective things to be doing with our Internet fixing time.
It could, but only if they knew what domain your server was authoritative for when they picked your DNS server at random.
dig @$IP -x $IP should give you the hostname and thereby the domain of the DNS server.
You can easily run that command some time prior to the spoofing attack, the domain probably doesn't change that often.
It's not corrupt, the moderation system is working as intended. :)
It's not an attempt if it was done. :)
I do not believe that is a goal of his, but rather a side effect of his campaign against the super power known as APK. :)
Woha, you just mentioned using something other than hosts files, you are clearly an imposter. :O
Change is certain; progress is not obligatory.
lack of EDNS support is a potential problem
"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.
DNSSEC support is critical
But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.
It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.
(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)
DNS resolvers should not be usable by the world.
Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.
Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.
That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.
I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used
I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.
When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.
An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.
I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).
While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.
For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.
PowerDNS
I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-
MaraDNS is an open-source DNS server.
Actually, transit providers are one of the groups that can't reliably apply BCP38 or RPF. BCP38 and RPF is very easily applied at the edge, where you know specifically the IPs involved, since they're either connected or statically routed. Now, when you get into things over BGP, it gets dicey. You may see traffic over a BGP-managed link from an IP that isn't involved in the received prefixes, but yet still belong to the specific peer. Is this an error? No. Is dropping the bits on the floor because you're not seeing that prefix an error? Most definitely. Not announcing a prefix over a link is a common traffic engineering practice, so this isn't an uncommon scenario. Another option to work around that would be to have a prefix-list with all of that peer's possible prefixes and build an ACL off that, but that's also not always tenable when you're potentially dealing with 1,000s or 10s of 1,000s of prefixes for the larger networks. Nice thing is, at this level, usually you can bust out the sFlow/NetFlow-fu and find out where the spoof is coming in from, and then whack it at that point.
But looking at the OpenResolver project list, when broken out by ASN, it really looks like a huge amount of those open recursors are CPE gear with WAN-facing DNS services, just based on the ASNs. China Telecom (AS4134), Uninet (AS8151) and Turk Telecom (AS9121) accounted for 3.5 million (15%) of the recursors alone.
TL;DR The grandparent complained about MaraDNS not having more features. He responded to my "show me the money" reply by saying "why should anyone pay you if you don't have more features". My reply: "Because DNS shouldn't be a monoculture".
(As an aside, I actually somewhat respect the parent poster because he does a reasonable job of articulating his points. His thinking is a little rigid and absolute "this is how it must be done" for my tastes, but he at least has clue, something becoming rarer and rarer as Slashdot slowly goes the way of the horse and buggy)
Another thing I forgot to add: Why use MaraDNS.
Since I have Karma to burn, and since it probably would be best if my Karma went to hell, discouraging me from wasting time on Slashdot, here's my thoughts on the negative moderations:
Sure, the first post came off as an ad. I wrote it too quickly, and I can see why a moderator didn't like it. I can also see why a moderator--perhaps the same one--didn't like the parent to this. A good number of Slashdot readers still live in that "everything should be free and no one has bills to pay since they all live in my mother's basement [1] like I do" neckbeard fantasyland probably don't like how I pointed out that it's going to take real money for MaraDNS to get DNSSEC or have rate limiting. They probably stopped there and moderated down (the post was also too long, but a long post deserves a long reply).
[1] In other cultures, multiple generations living under the same roof is normal; I feel the idea that a kid has to move out of the house at 18 to be a real man is one that is bad for families. It's actually in many ways good when a 45-year-old man still lives in his mother's basement, since he will become the one taking care of his aging mother instead of sending her to a nursing home.
OK, I'm out of Slashdot for the rest of 2013. I will not post here until the beginning of 2014. The moderators hath spoken and I really need to get out of the shithole Slashdot is becoming. MaraDNS is the past; it's time for me to make a new mark on the world!
MaraDNS is an open-source DNS server.
You're compounding two things. One is providing RECURSIVE RESOLUTION to clients and the other is providing an AUTHORITATIVE NAMESERVICE for particular zones. I'll explain the two briefly:
1. Recursive resolver - this is a nameserver that you can ask to resolve any domain name and it'll do just that. If it isn't authoritative for it (meaning you RUN the zone and it's in a config file locally) it will go through the recursive resolution process for you. It will look at it's root hints, talk to the root name servers, find the TLD zone, ask for the next nameserver to ask and on down the chain. This is "recursive resolution" it's how clients find things on the internet. This is the dangerous thing and what you want to secure. You can do this in BIND for example by writing a bind ACL and only allowing recursion to clients you trust, typically the RFC 1918 address space (aka "private IP addresses").
2. Authoritative Nameserver - this is what you put on the internet if you want to run your own nameservice for your domains. This will only answer questions to clients about domains that it runs specifically. So if you own abc.com and a client asks about www.abc.com it will provide the answer. If you ask it to resolve google.com it will kindly tell you to fuck off (or possibly provide root hints, by an old convention).
Actaully, I wasn't confusing the 2 at all. But I don't think that we should be banning public resolvers and forcing people to use the resolver operated by their ISP when those resolvers have frequently been messed with for profit by the companies running them. The article would propose killing OpenDNS, Google DNS, and many, many more.
The correct solution is not to break the internet by banning a harmless and very useful feature, but to fix the internet by blocking IP spoofing. Why on earth are there any ISPs out there that still allow spoofed traffic off their network? this is not a new issue, and should have been fixed ages ago.
DNS used to not be a threat; that's been changing. Rate limiting wasn't an issue. Source address verification was a problem for ISP routers (to prevent address spoofing), but it wasn't a problem for recursive DNS servers (who were willing to serve anybody, not just their own customers), and it especially wasn't a problem for authoritative DNS servers, because they're supposed to tell anybody the address for www.yourdomain.com, and aren't in the right part of the network to verify whether a UDP DNS request came from a forged address (that's an edge problem, not a center problem.)
Unfortunately, it's easy to have DNS configurations where a response is larger than the query (sometimes even a lot larger.) The emerging standards have been to require TCP if the responses don't fit in a single UDP packet, but not everybody supports it (and since not all clients support it, servers can't always enforce it), but even then there's a sweet spot where you can still send a request that's under 100 bytes and get up to 576 bytes of response (or sometimes even 1500), depending on what records the DNS server is configured for.
And rate limiting is a server software feature, but record sizes available for querying are very much a user data issue.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
An ISP can filter out spoofed UDP packets just as easily as spoofed TCP packets - the filtering happens at the IP layer in the router, not at the transport or application layer. Unfortunately, as another Anonymous Coward points out, it has to be done at/near the ISP where the spoofed packets originated, and that ISP may be spammer-friendly and have an upstream that's not enforcing anti-spam policies or using strict-mode uRPF (because that's something that normally you don't do except on leaf nodes.)
An authoritative DNS server can't do much about spoofing except rate-limit and try to keep response sizes small, but a recursive DNS server can do more than that. If you're an ISP providing DNS resolution for your customers, and you filter it so you ONLY accept requests from your customers' addresses, somebody can still use your DNS server to spoof attacks against your customers, but can't use it to attack people who aren't your customers. It's a good start.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If you read my later posts in this thread, you'll see that I agree that source address filtering should be our #1 concern.
With that said, there are ways to provide recursive DNS resolution to clients openly, but without being used as an attack vector. Specifically by rate limiting the requests.
The reason ISPs are allowing spoofed traffic is simply one of two things: ignorance or laziness. It's very easy to write an ACL that mirrors your BGP announcements then apply that as an outbound filter at your peering points. It's absolutely as trivial as it sounds. The Tier 1 carriers need to start de-peering anyone who's found to not filter traffic they're not announcing.
Sure, all ISPs ought to be following BCP38 and blocking spoofed-source packets, and at $DAYJOB we've been doing it since the mid 90s, but for some reason spammer-friendly ISPs don't do that. And you can't properly run strict-mode uRPF except on single-homed customers.
But there are two kinds of DNS servers - authoritative, and recursive. Authoritative servers are the ones that domain name owners use to resolve queries about their own domains, and they're supposed to reply to everybody who asks. They can do things like rate-limiting responses, and trying to configure their data so that small queries only get large responses over TCP, not UDP, which makes spoofing much much harder, but that does require careful administration.
Recursive DNS servers are the ones that ISPs, Enterprises, and sometimes even individuals use so that end users can send one query for www.foo.bar.com and have somebody else do the work of querying the different servers that handle the root, .com, bar.com, foo.bar.com, and www.foo.bar.com, and ideally keep a cache so that most of those names are remembered locally instead of needing queries. An "Open Recursive DNS server" will accept recursive queries from anybody, but you really don't have to do that - you can limit your servers to accepting queries from your own users. That doesn't prevent somebody from using spoofed UDP DNS requests to attack your users, but it does prevent them from using your DNS server to do spoofed attacks against people who aren't your users, keeping the internet safer for everybody.
There are businesses who have good reasons for running open DNS servers - half the machines in my lab are configured to use Google's 8.8.8.8 because it's an easy-to-remember number and because different parts of my lab aren't always connected in ways that let them reach my corporate DNS servers. I don't know the architecture of Google's DNS servers, but my guess is that they've got lots of servers deployed over anycast, and that they've probably done their own anti-spoofing so they'll only send out replies over the connections the requests came from.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You're still missing the point. Some companies who do not run public resolvers but are still answering recursive queries need to configure their servers so that this stops. We don't need millions of Google DNS, and the low number of companies that do want to get involved in that sort of thing can take their own measures to reduce the damage they cause.
How is an accidental public resolver an issue if IP spoofing is impossible?
Unfortunately many common DNS packages do not include rate limiting options. I wouldn't blame this on the admins running those machines as much as on the package maintainers who don't seem to think that's an important feature.
Are you seriously asking why a potential DoS an issue?
And there are classes of attack that do not require IP spoofing.
I don't believe this should be handled by the DNS software. We shouldn't have to add rate-limiting code into every individual service we run. It's easily implemented using a firewall. Even iptables (software firewall) supports rate limiting:
http://wiki.opennicproject.org/IPTablesRulesToBlockDDOSTraffic
http://falkhusemann.de/blog/2012/07/iptables-dns-query-limiting-with-burst-rate/
THIS is why he's doing it & proof of it, here -> http://interviews.slashdot.org/comments.pl?sid=3585927&cid=43295193 when others pointed out Jeremiah Cornelius forgot to submit one of the "first post spams" (masquerading as myself, by posting as AC & using some old posts of mine or other b.s. he put up), & JC mistakenly submitted one of the impersonations of myself as his registered 'luser' name here on /. forums.
Pretty pitiful actually, but like every up to no good idiot does? He screwed up & submitted it under his registered 'luser' name here, instead of his ac submittals he's been doing.
* Jeremiah Cornelius: DO YOURSELF, and the rest of us, A GIANT FAVOR MAN: Seek professional psychiatric help!
(Since Jeremiah Cornelius obviously can't get over the fact he made a spelling error on what it is HE ALLEGEDLY DID FOR A LIVING? That's not MY fault... it's HIS!)
APK
P.S.=> I seriously must have dusted JC (in his mind @ least) for his BAD spelling error & it "got his goat"...
I.E.-> Catching what he claimed to do as a job, for YEARS he left "PENETRATION" (correct) spelled as "PENTRATION" (incorrect) on his resume on LinkedIn & I pointed it out as he & his friends trolled me as usual (webmistressrachel, gmhowell, & crew (probably ALL JC no doubt using alterate emails or TOR to do it as a possible - I've caught "them & theirs" doing it before, ala Barbara, not Barbie = TomHudson (same person))).
So THAT is what has gotten his goat in a technical debate & his "geek angst" could only come up with *trying* to "impersonate me" in every news thread on /. for the month of March 2013 so far!
(Just to attempt to 'discredit me' as a spammer here obviously)
Doing so, by posting that "$10,000 challenge" &/or reposts of my old posts on hosts file value to end users into EVERY SINGLE NEWS ARTICLE POSTED on /. ...
It's all I can think of that *might* cause such a mentally troubled 'reaction' like the Jeremiah Cornelius is doing & there's NO QUESTION he's the one doing this spamming of nearly every posted article masquerading as myself...!
... apk