WingNews logo WingNews GitHub [2]
top | item 5455331

IT Pro confession: I contributed to the DDOS attack against Spamhaus

79 points| esalazar | 13 years ago |theregister.co.uk

52 comments

order
[+] sciurus|13 years ago|reply
"""Let's say that you leave your recursive server open to the internet. Now not only can you ask your DNS server for information about other DNS servers on the internet, so can anyone else. If someone asks your server "where is www.google.com" a whole bunch of times then your server starts flooding google.com's DNS servers. For every 1 byte of data sent to your DNS server 50 bytes of traffic end up directed at the target."""

This explanation is skipping a key component of a DNS reflection attack. When the attacker makes a DNS request, they spoof their source address so it is the address of the host they want to attack. Thus they send a small request to your DNS server, and your DNS server returns a large response not to them, but to the host they're attacking.

[+] bradleyjg|13 years ago|reply
Why does it need to be recursive then?

Couldn't you perform the same attack by querying a whole bunch of authoritative name servers for zones they serve with forged source addresses?

[+] dsl|13 years ago|reply
You should also note that DNSSEC is just as much of a problem as open resolvers.

A normal A record lookup results in 1-2x amplification

   $ dig www.ripe.net. in a | grep SIZE
   ;; MSG SIZE  rcvd: 46
Asking for DNSSEC records specifically yields a 10x+ amplification

   $ dig www.ripe.net. in RRSIG | grep SIZE
   ;; MSG SIZE  rcvd: 534
According to research by DJB[1] over 2000 DNSSEC enabled zones provide >30x amplification for incoming UDP queries.

1. cr.yp.to/talks/2012.06.04/slides.pdf

[+] laumars|13 years ago|reply
I think that was implied. However you're right that the author should have made that a little more clear.
[+] matt_heimer|13 years ago|reply
Thanks, I was wondering about their explanation. Every DNS server I setup will temporary cache the results of its recursive lookups so I didn't get how this was going to work.
[+] laumars|13 years ago|reply
I have a couple of name servers I've inherited since starting my job. How would I go about testing these servers to see if they're set up correctly (obviously I'm not interested in the forged UDP packets side of things, only testing to make sure that recursive look ups are disabled).
[+] mindstab|13 years ago|reply
Whats a simple way to confirm by test your DNS server isn't doing recursion?
[+] tquai|13 years ago|reply
The Open DNS Resolver Project has a list of 25 million open resolvers. You can query their database for your IP address or up to a /24. Their site also has information on how to reduce or eliminate the problem via a couple options (RRL, BCP38). If you run a BIND resolver, consider switching to unbound. Part of this problem is rooted in BIND combining resolver and authoritative service in one daemon, which IMO "mis-educated" a lot of people.

http://openresolverproject.org/

[+] metalruler|13 years ago|reply
I don't understand why it's necessary for the server to be open, and have recursion enabled. I run a couple of authoritative name servers and have seen them used for amplification attacks. Sure, it's not as easy as querying every open recursive DNS server you can find for <single_domain_with_huge_sized_reply>.com, but there's still (literally) billions of unique hostnames on the internet which can be resolved "legitimately" via their authoritative name servers. There is no magical config option to prevent this; the only way to block this type of activity is to analyze traffic to find IPs that are repeatedly sending the same [spoofed] request.
[+] unethical_ban|13 years ago|reply
Some have suggested that DNS move to TCP, but I don't think that's proper. The nature of DNS lends itself to connectionless, lightweight communication. That said, could the next iteration of DNS implement application-level handshaking?

The reason not to do this at layer 4 is because I, in the several minutes of pondering it, think it could break lots of security devices that track connection state across lots of computers in a network. Make some kind of

  C -> S request  
  C <- S ack 
  C -> S yes  
  C <- S lots of data  
  done

  C -> S request  
  C <- S ack
  C -> S no  
  done
[+] drdaeman|13 years ago|reply
Unfortunately, round-trip time is still important, too. I suspect, almost doubling the DNS request time may cause problems in some cases.
[+] ajross|13 years ago|reply
This really is a real issue. My home machine was an open recursor for a while too. I set up a dnsmasq installation and forgot to set an "except-interface" to restrict it to the internal network.

I even like to think I know this stuff well, but still got burned. I'm sure at the time my security analysis (if I even thought of the externally-facing issue) was "who cares if I expose a caching nameserver with no sensitive content to the rest of the internet?".

[+] SageRaven|13 years ago|reply
How disappointing. I thought it was going to be the story of a fed-up email admin breaking down and DoS'ing one of the scourges of the internet.

Blacklists are pure evil, and nothing will ever change my opinion of that. They cause far more problems than they solve. Granted, it's usually by idiot, over-zealous mail admins who block on merely being listed anywhere, rather than by weighted score.

[+] dne|13 years ago|reply
Blacklists are the only reason e-mail is still usable.
[+] jff|13 years ago|reply
Agreed. If I had known at the time that there was a DDoS against Spamhaus, I'd have probably joined in against the self-righteous pricks. Block my home server, will you?
[+] sunyc|13 years ago|reply
one of my server got exposed too, it was being queried for ripe.net