Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success." Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

Re:Article is garbage

[Synerg1y]

Rofl, why is this discussion at the bottom, and a bunch of newbs asking why a bunch of open DNS admins haven't doing anything about it up top. I don't get slashdot techies anymore, except the consensus they're all stupid.

There's no point to spoofing out IP addresses at the edge of the network when the throughput is choked, it won't do anything, you can keep dropping them and turn off SYN to keep internal communication up with the edge, but the way out is clogged.

In regards to Open DNS servers and not doing IP verification, I'd imagine that has to do with the amount of resources available to them.

Rate limiting would help, but one day may block legitimate users as internet use expands.

Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.