For some perspective on what 300 Gbps of traffic represents, let’s just pretend that your company, as a potential customer, put this massive volume of bits and bytes in front of 20 of the leading Internet service providers. Chances are, all but three or four will tell you “Thanks, but no thanks, we can’t handle your business.”

That, according to Jared Mauch of the Open DNS Resolver Project, is an anecdotal picture of the largest surges in DDoS traffic directed at Spamhaus this week, an attack that also reportedly caused some collateral damage to unrelated online services.

While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender’s IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim’s IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success.

“300 Gbps is not an insignificant amount of traffic,” Mauch said. “That represents a significant potential for destruction to point at any individual location.”

Mauch maintains a growing database of 27 million open DNS resolvers on the Internet that his project hopes to shut down or change to a more secure configuration. In the attacks on Spamhaus, security company CloudFlare said the botnet involved used more than 30,000 unique DNS resolvers to successfully keep Spamhaus offline. In a larger attack scenario, the collective power of these resolvers could have been used to keep much larger segments of the global network offline.

“Using a list of open resolvers, you could spoof traffic and get 100-to-1 amplification; for every byte you send out, the victim gets 100 back if it’s properly formatted and sent to an open recursive resolver,” Mauch said. “At that point, you could then leverage the global nature [of the list] and have the whole Internet attacking one site. That makes it difficult to mitigate.”

So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.

“Source address validation guarantees spoofing cannot happen,” said Afilias CTO Ram Mohan. “We have been exhorting the community to implement it promptly. This ensures that a resolver first determines a source address is valid before it sends back responses.”

The onus lies with ISPs to find a business reason to do so on their respective infrastructures, said Jim Galvin, director of strategic relationships and technical standards at Afilias, which has source address validation implemented across its DNS infrastructure. By implementing source address validation, an ISP would then allow only traffic from its IP ranges to make DNS requests, making IP spoofing a moot point.

In the attacks on Spamhaus for example, Galvin said even authoritative resolvers were unwitting participants.

“It doesn’t have any information to tell it not to [respond],” Galvin said. “Resolvers are supposed to respond to all queries. The ISP has the responsibility; it knows what IP addresses are valid on its network and should not be distributing queries that are not originating from its network. The discussion isn’t about whether open resolvers are bad, or whether authoritative are good, the larger point is with whomever is running these resolvers on their networks.”

Mohan said open resolvers have a practical use, they just cannot run under a policy of not doing any validation.

“That is wrong,” he said. “If you had open resolvers that implemented source address validation, these reflection attacks would not be happening.”

BIND servers, Mohan said, have a fairly easy router configuration for what they call response rate limiting. With Cisco and Juniper routers, Mauch said as an example, both offer relatively simple one-line configuration changes to implement it.

“We need to continue to move toward a path of getting source address validation working to stop the ability to launch these attacks,” Mauch said. He added that shutting down some of the open resolvers is also an option. “By closing resolvers, you minimize the number of machines used to launch an attack. If we can reduce the attack surface by 10 percent, it would be quite a success, let alone if we could get 90 percent to change to a more secure default setting. By doing that, you’re going to reduce the number of machines used for launching these types of attacks and make the global network safer and more secure for everyone.”

Categories: Web Security

Comments (7)

  1. SkedAddled
    1

    Quoted from another site:

    “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said.
    “They worked themselves into that position by pretending to fight spam.”

    Yeah, and nobody has yet indicated that the Spamhaus blacklist is 100% voluntary, with all participants using the information
    without any coercion. Such is the same with SpamCop’s contribution to the general blacklisting efforts.

    The knee-jerk reaction of the crying afflicted indicates implicit guilt to me.

    It’s also not mentioned that these blacklist aggregators are fully automatic, generating their statistics and lists from averages
    of submissions made directly to them, rather than from influential suggestions from supremely huge ISPs and IXs.

    I myself contribute to the SpamCop(spamcop.net) aggregation by submitting and parsing much of the spam I receive.
    I enjoy my efforts in such an endeavor, as it makes me feel good that I’m helping to rid the ‘net of such underhanded and cowardly,
    as well as criminal, elements. Both Spamhaus and SpamCop have been influential in bringing criminal fraudsters to justice
    through their aggregated stastics and reporting, and I’ve been extremely happy to have been of some help in contributing
    to their evidenciary reports.

  2. Anonymous
    2

    I myself operate many open DNS resolvers and never get a problem with these attacks. In fact, I never applied a single patch to Bind. I just have correct rate limit iptable rules and all DNS amplification attacks are mitigated in 5 minutes.

    So why all this mess around open DNS resolvers ? I can understand that free and open DNS resolvers are a problem for commercial ISP or commercial companies (Google free DNS is just a way to kill independant open DNS resolvers) but they are not a problem for the Internet as soon as they are operated by knowledgeable sysadmins…

     

  3. Jan van Niekerk
    3

    The headline should read “OpenDNS comments on Spamhaus DDOS”. Headlines. “HEADLINE WRITER COMES HOME. WIFE, DOG OVERJOYED”.

  4. James
    5

    “… the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland” 

    I totally disagree – the REAL issue here is the ISPs that allow traffic with spoof source IP Addresses to leave their networks. The open resolvers are a secondary issue.

  5. Anonymous
    6
    • I myself operate many open DNS resolvers and never get a problem with these attacks. In fact, I never applied a single patch to Bind.
    and you’re proud of it?
    • I just have correct rate limit iptable rules and all DNS amplification attacks are mitigated in 5 minutes.
    that’s five minutes of attack time.
    • So why all this mess around open DNS resolvers ?

    wait, why are they necessary in the first place?

    • I can understand that free and open DNS resolvers are a problem for commercial ISP or commercial companies (Google free DNS is just a way to kill independant open DNS resolvers)
    Is this really a bad thing? You make it sound like “independent open DNS resolvers” serve some higher purpose, and Google intends to quash them for some sort of profit, rather than offering a free, low-latency, anycasted public service, designed the way that most people can’t afford to operate their open resolvers, and with _proper_ security and rate-limiting controls in place.  
    • but they are not a problem for the Internet as soon as they are operated by knowledgeable sysadmins…

    and what percentage of open resolver operators would you assume were knowledgeable sysadmins? I would posit that many of the people operating open resolvers have no idea they are doing it, and are probably not so tech-savvy as yourself.

     
  6. Anonymous
    7
    • wait, why are they necessary in the first place?

    Users are free to choose their DNS resolver (for example if they want to avoid liars as verisign, rr and others DNS stuffed with ads). As users are free to choose any phone directory service, they are free to use the DNS server they WANT and not the one their ISP give them, adding false domain name resolution on NX records.

    Sysadmin are free to offer open DNS. After that, Sysadmin offering open DNS have to duty to correctly protect them. You should note that implementing BCP 38 completely removes the DNS amplification problems.

    As a FYI, during this attack, the 4 open DNS servers I operate sent 6MB of data before the attack was *automatically* mitigated, which is nothing.The problem is that other DNS servers sent BILLIONS OF GIGABYTES of data before being shut down. The problem is not with open DNS, it is with *badly managed* open DNS.

    If you drive your are at 100MPH, the problem is not with your car, the problem is with you, the driver. Open DNS without rate limits and mitigation is like driving a car at 100MPH. Again, it is the driver who should be annoyed, not the car, not the car maker.

    Again, corporate companies are using this attack to force the closure of all open DNS because open, free and non commercial DNS resolution is a problem. Corporate companies have put ads and cookies in all Internet protocols: HTTP, SMTP, RTMP and now the only protocol without ads is DNS. I bet that if open DNS resolvers close and users have no choice of their DNS, you’ll see more and more liar DNS systems.

Comments are closed.