Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success." Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

Accidentally, or not?

[six025]

Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

One has to wonder if this is caused by negligence, or if it's more a case of "oopsie, we left this door open, oh well" - which would be a great way to set up nodes around the 'net specifically to allow these types of attacks to occur.

Not saying that is right or wrong - asking a genuine question.

Peace,
Andy.

Hoax?

[Ubi_NL]

I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake

http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie

By Design

DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.

Now compound the above with the fact that neither of the two most widely used DNS servers on the planet, BIND and MicrosoftDNS(That's right Bernstein fans so STFU.), check requesting source address validity. It's not in the spec, so why should they?

This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.

Re:By Design

[Alex+Pennace]

DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.

[...] It's not in the spec, so why should they?

The changing environment now calls for doing things that weren't done years ago. We have already crossed this bridge with open email relays; this isn't necessarily the case here (the real problem is the lack of IP spoofing protection), but it would be nice for administrators to realize that they may have an open resolver. Many of them will decide that there is no point in offering free DNS resolution services to the whole world and take steps to restrict access. Some will decide that they want to continue offering it; more power to them.

Far from being a requirement, a DNS resolver works just fine if it isn't wide open.

This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.

I wouldn't go as far as to accuse them of malfeasance or negligence, particularly since the real problem is lack of BCP38 compliance. So lets not do that. Instead lets educate administrators and permit them to make their own decisions; in this case the decision will likely be to restrict.