For some perspective on what 300 Gbps of traffic represents, let’s just pretend that your company, as a potential customer, put this massive volume of bits and bytes in front of 20 of the leading Internet service providers. Chances are, all but three or four will tell you “Thanks, but no thanks, we can’t handle your business.”
That, according to Jared Mauch of the Open DNS Resolver Project, is an anecdotal picture of the largest surges in DDoS traffic directed at Spamhaus this week, an attack that also reportedly caused some collateral damage to unrelated online services.
While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender’s IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim’s IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success.
“300 Gbps is not an insignificant amount of traffic,” Mauch said. “That represents a significant potential for destruction to point at any individual location.”
Mauch maintains a growing database of 27 million open DNS resolvers on the Internet that his project hopes to shut down or change to a more secure configuration. In the attacks on Spamhaus, security company CloudFlare said the botnet involved used more than 30,000 unique DNS resolvers to successfully keep Spamhaus offline. In a larger attack scenario, the collective power of these resolvers could have been used to keep much larger segments of the global network offline.
“Using a list of open resolvers, you could spoof traffic and get 100-to-1 amplification; for every byte you send out, the victim gets 100 back if it’s properly formatted and sent to an open recursive resolver,” Mauch said. “At that point, you could then leverage the global nature [of the list] and have the whole Internet attacking one site. That makes it difficult to mitigate.”
So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.
“Source address validation guarantees spoofing cannot happen,” said Afilias CTO Ram Mohan. “We have been exhorting the community to implement it promptly. This ensures that a resolver first determines a source address is valid before it sends back responses.”
The onus lies with ISPs to find a business reason to do so on their respective infrastructures, said Jim Galvin, director of strategic relationships and technical standards at Afilias, which has source address validation implemented across its DNS infrastructure. By implementing source address validation, an ISP would then allow only traffic from its IP ranges to make DNS requests, making IP spoofing a moot point.
In the attacks on Spamhaus for example, Galvin said even authoritative resolvers were unwitting participants.
“It doesn’t have any information to tell it not to [respond],” Galvin said. “Resolvers are supposed to respond to all queries. The ISP has the responsibility; it knows what IP addresses are valid on its network and should not be distributing queries that are not originating from its network. The discussion isn’t about whether open resolvers are bad, or whether authoritative are good, the larger point is with whomever is running these resolvers on their networks.”
Mohan said open resolvers have a practical use, they just cannot run under a policy of not doing any validation.
“That is wrong,” he said. “If you had open resolvers that implemented source address validation, these reflection attacks would not be happening.”
BIND servers, Mohan said, have a fairly easy router configuration for what they call response rate limiting. With Cisco and Juniper routers, Mauch said as an example, both offer relatively simple one-line configuration changes to implement it.
“We need to continue to move toward a path of getting source address validation working to stop the ability to launch these attacks,” Mauch said. He added that shutting down some of the open resolvers is also an option. “By closing resolvers, you minimize the number of machines used to launch an attack. If we can reduce the attack surface by 10 percent, it would be quite a success, let alone if we could get 90 percent to change to a more secure default setting. By doing that, you’re going to reduce the number of machines used for launching these types of attacks and make the global network safer and more secure for everyone.”