For some perspective on what 300 Gbps of traffic represents, let’s just pretend that your company, as a potential customer, put this massive volume of bits and bytes in front of 20 of the leading Internet service providers. Chances are, all but three or four will tell you “Thanks, but no thanks, we can’t handle your business.”

That, according to Jared Mauch of the Open DNS Resolver Project, is an anecdotal picture of the largest surges in DDoS traffic directed at Spamhaus this week, an attack that also reportedly caused some collateral damage to unrelated online services.

While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender’s IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim’s IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success.

“300 Gbps is not an insignificant amount of traffic,” Mauch said. “That represents a significant potential for destruction to point at any individual location.”

Mauch maintains a growing database of 27 million open DNS resolvers on the Internet that his project hopes to shut down or change to a more secure configuration. In the attacks on Spamhaus, security company CloudFlare said the botnet involved used more than 30,000 unique DNS resolvers to successfully keep Spamhaus offline. In a larger attack scenario, the collective power of these resolvers could have been used to keep much larger segments of the global network offline.

“Using a list of open resolvers, you could spoof traffic and get 100-to-1 amplification; for every byte you send out, the victim gets 100 back if it’s properly formatted and sent to an open recursive resolver,” Mauch said. “At that point, you could then leverage the global nature [of the list] and have the whole Internet attacking one site. That makes it difficult to mitigate.”

So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.

“Source address validation guarantees spoofing cannot happen,” said Afilias CTO Ram Mohan. “We have been exhorting the community to implement it promptly. This ensures that a resolver first determines a source address is valid before it sends back responses.”

The onus lies with ISPs to find a business reason to do so on their respective infrastructures, said Jim Galvin, director of strategic relationships and technical standards at Afilias, which has source address validation implemented across its DNS infrastructure. By implementing source address validation, an ISP would then allow only traffic from its IP ranges to make DNS requests, making IP spoofing a moot point.

In the attacks on Spamhaus for example, Galvin said even authoritative resolvers were unwitting participants.

“It doesn’t have any information to tell it not to [respond],” Galvin said. “Resolvers are supposed to respond to all queries. The ISP has the responsibility; it knows what IP addresses are valid on its network and should not be distributing queries that are not originating from its network. The discussion isn’t about whether open resolvers are bad, or whether authoritative are good, the larger point is with whomever is running these resolvers on their networks.”

Mohan said open resolvers have a practical use, they just cannot run under a policy of not doing any validation.

“That is wrong,” he said. “If you had open resolvers that implemented source address validation, these reflection attacks would not be happening.”

BIND servers, Mohan said, have a fairly easy router configuration for what they call response rate limiting. With Cisco and Juniper routers, Mauch said as an example, both offer relatively simple one-line configuration changes to implement it.

“We need to continue to move toward a path of getting source address validation working to stop the ability to launch these attacks,” Mauch said. He added that shutting down some of the open resolvers is also an option. “By closing resolvers, you minimize the number of machines used to launch an attack. If we can reduce the attack surface by 10 percent, it would be quite a success, let alone if we could get 90 percent to change to a more secure default setting. By doing that, you’re going to reduce the number of machines used for launching these types of attacks and make the global network safer and more secure for everyone.”

Categories: Web Security

Comments (7)

  1. SkedAddled
    1

    Quoted from another site:

    “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said.
    “They worked themselves into that position by pretending to fight spam.”

    Yeah, and nobody has yet indicated that the Spamhaus blacklist is 100% voluntary, with all participants using the information
    without any coercion. Such is the same with SpamCop’s contribution to the general blacklisting efforts.

    The knee-jerk reaction of the crying afflicted indicates implicit guilt to me.

    It’s also not mentioned that these blacklist aggregators are fully automatic, generating their statistics and lists from averages
    of submissions made directly to them, rather than from influential suggestions from supremely huge ISPs and IXs.

    I myself contribute to the SpamCop(spamcop.net) aggregation by submitting and parsing much of the spam I receive.
    I enjoy my efforts in such an endeavor, as it makes me feel good that I’m helping to rid the ‘net of such underhanded and cowardly,
    as well as criminal, elements. Both Spamhaus and SpamCop have been influential in bringing criminal fraudsters to justice
    through their aggregated stastics and reporting, and I’ve been extremely happy to have been of some help in contributing
    to their evidenciary reports.

  2. Anonymous
    2

    I myself operate many open DNS resolvers and never get a problem with these attacks. In fact, I never applied a single patch to Bind. I just have correct rate limit iptable rules and all DNS amplification attacks are mitigated in 5 minutes.

    So why all this mess around open DNS resolvers ? I can understand that free and open DNS resolvers are a problem for commercial ISP or commercial companies (Google free DNS is just a way to kill independant open DNS resolvers) but they are not a problem for the Internet as soon as they are operated by knowledgeable sysadmins…

     

  3. Jan van Niekerk
    3

    The headline should read “OpenDNS comments on Spamhaus DDOS”. Headlines. “HEADLINE WRITER COMES HOME. WIFE, DOG OVERJOYED”.

  4. James
    5

    “… the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland” 

    I totally disagree – the REAL issue here is the ISPs that allow traffic with spoof source IP Addresses to leave their networks. The open resolvers are a secondary issue.

Comments are closed.