SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

DDoS and Open Resolvers: The Swiss view

1 Comment


About a month ago the openresolver project  published the results of a global scan enumerating open recursive DNS Servers. A daunting 27.200.613 systems where found.

In the past we’ve reported on large scale DDoS attacks in this blog. The attacks are real, and they are not just some rare random occurrences on the net. The recent attack on Spamhaus illustrates this quite clearly. People have different views on Spamhaus’ activities, but that’s not the point. The point is that there are people out there that can launch massive attacks that even Tier 1 carriers will feel. And it’s not only “Spammers against Spamhouse” that do this. A recent attack we analysed, weighting “only a few dozens MBits/s” was launched by a literal looser, someone who did not get what he wanted in an MMOG, against a game server. We also see attacks against competitors, to black mail people and, quite ironically in the name of “internet freedom of speech”, against disagreeable sites.

The problem

The problem is twofold. On one hand ISPs don’t seem to implement BCP38: Network Ingress Filtering. This would not be a problem, if there where no open recursive amplifiers. They need not be DNS servers, any stateless service that replies with large answers to short queries will do. The later are the second variable in this equation.
People tend to pass the issue to each other like a hot potato. The discussion is futile though, the fact is: miscreants are abusing this double-loophole to create massive damage.

Open Resolvers in Switzerland

One would assume, that most of the open, i.e. misconfigured devices are in the “developing zones” of the internet. But this is not so. A re-verification of the data on the openresolver projects page yielded more than 70’000 open devices in the Swiss AS known to us. While a few of the large networks account for the bulk of the open devices, many of the small networks have plenty of resolvers that reply potently.

openresolvers_swissas

Open DNS Resolvers in Swiss AS’: The bulk comes from a few, large networks. However many of the smaller Swiss networks host a number of potent open resolvers.

A wolf in a sheepskin?

As it turns out, many of these devices don’t look like DNS resolvers if you actually stare at them. Many are DSL modems whose resolvers also answer to the outside. But we’ve also seen webcams, which, only god knows why, run a DNS server. It will be difficult to shut these down in the short run.

What can you do?

  • Configure DNS servers to only answer queries for which they are authoritative to the outside. Team Cymru has instructions for bind and Microsoft Servers.
  • Put devices with broken DNS servers hardwired behind firewalls.
  • Implement BCP38.

One thought on “DDoS and Open Resolvers: The Swiss view

  1. Pingback: Was kommt nach DNS Response Rate Limiting? | SWITCH Security-Blog