Slashdot Mirror

← Back to Stories (view on slashdot.org)

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

Posted by Unknown on from the check-your-sources dept.

msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success." Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

8 of 179 comments (clear)

  1. First post by Anonymous Coward · · Score: 5, Funny

    In before the fight between those two guys and their walls of text...

    1. Re:First post by noh8rz10 · · Score: 4, Funny

      maybe if the routers had been configured with HOSTS FILES then all of this could have been avoided...

  2. Article is garbage by Anonymous Coward · · Score: 5, Insightful

    It claims that the problem is DNS resolvers that don't authenticate the sender's IP address using BCP38. It is comparing chalk and cheese. Filtering out spoofed IP addresses is something that needs to happen at the edge of the network. It's not something that a single server on the network can do.

  3. Hoax? by Ubi_NL · · Score: 4, Interesting

    I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake

    http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie

    --

    If an experiment works, something has gone wrong.
  4. Re:Accidentally, or not? by Anonymous Coward · · Score: 5, Insightful

    Isn't the real problem the originating ISPs for allowing spoofed packets to be sent in the first place? Is it really correct to be blaming the DNS resolver that it's responding to packets it has no way to authenticate? If the original ISP dropped a packet it shouldn't be routing, the whole problem would go awa.

  5. Re:Accidentally, or not? by Anonymous Coward · · Score: 5, Informative

    Yep. Had BCP38 (Best Current Practice No. 38) been in effect at those ISP's, this attack would not have occurred.

  6. Re:Why are people not being alerted? by six025 · · Score: 5, Funny

    There are over 25 million known open DNS resolvers that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem

    It sounds like the solution is to send out a huge amount of unsolicited email.

    Oh, wait ...

  7. Re:Why are people not being alerted? by bobstreo · · Score: 4, Funny

    There are over 25 million known open DNS resolvers that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem

    It sounds like the solution is to send out a huge amount of unsolicited email.

    Oh, wait ...

    Well we could do a kickstarter, and hire our friends at Cyberbunker to host the email sending...