Slashdot Mirror
Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks
msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success."
Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
In before the fight between those two guys and their walls of text...
Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
One has to wonder if this is caused by negligence, or if it's more a case of "oopsie, we left this door open, oh well" - which would be a great way to set up nodes around the 'net specifically to allow these types of attacks to occur.
Not saying that is right or wrong - asking a genuine question.
Peace,
Andy.
It claims that the problem is DNS resolvers that don't authenticate the sender's IP address using BCP38. It is comparing chalk and cheese. Filtering out spoofed IP addresses is something that needs to happen at the edge of the network. It's not something that a single server on the network can do.
I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake
http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
If an experiment works, something has gone wrong.
There are over 25 million known open DNS resolvers that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem
It sounds like the solution is to send out a huge amount of unsolicited email.
Oh, wait ...
Because the DNS servers are doing nothing wrong.
The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.
All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.
There are over 25 million known open DNS resolvers that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem
It sounds like the solution is to send out a huge amount of unsolicited email.
Oh, wait ...
Well we could do a kickstarter, and hire our friends at Cyberbunker to host the email sending...
Because the DNS servers are doing nothing wrong.
The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.
All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.
Actually, they are. The feature being leveraged here is that the servers are performing recursive lookups for domains that they do not control for the open Internet; BIND turns this off, by default, starting with version 9.4. The problem is that a lot of 9.3.X and older DNS servers are still out there, as well as a lot of bad network architecture jobs. The servers should only handle recursion for IP addresses that are on the inside. And as for the spoofing? Well, ingress filtering is trivial to do at the border. And these two things in concert shut this problem down entirely.
For your security, this post has been encrypted with ROT-13, twice.
DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.
[...] It's not in the spec, so why should they?
The changing environment now calls for doing things that weren't done years ago. We have already crossed this bridge with open email relays; this isn't necessarily the case here (the real problem is the lack of IP spoofing protection), but it would be nice for administrators to realize that they may have an open resolver. Many of them will decide that there is no point in offering free DNS resolution services to the whole world and take steps to restrict access. Some will decide that they want to continue offering it; more power to them.
Far from being a requirement, a DNS resolver works just fine if it isn't wide open.
This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.
I wouldn't go as far as to accuse them of malfeasance or negligence, particularly since the real problem is lack of BCP38 compliance. So lets not do that. Instead lets educate administrators and permit them to make their own decisions; in this case the decision will likely be to restrict.