It has been a very eventful week in the field of DNS operations. In addition to the BIND vulnerability disclosed by ISC this week, the DNS world has been buzzing with news about “the biggest Distributed Denial of Service attack to date”, directed against Spamhaus by parties critical of their decision to list Cyberbunker as a spam source. As an industry leader in the field of DNS software, ISC sees the Spamhaus DDOS as a perfect opportunity to remind DNS operators why it is important to not operate an “open” recursive resolver, a policy recommendation we have been making since 2005.
A significant component of the DDOS traffic targeted at Spamhaus is coming from a technique that has been known for years — a variety of reflection attack commonly known as a “DNS amplification attack.” By relying on the fact that an answer to a DNS query can be much larger than the query itself, attackers are able to both amplify the magnitude of the traffic directed against a DDOS victim and conceal the source of the attacking machines.
To accomplish this, the attacker sends a DNS query a few bytes in size to an open resolver, forging a “spoofed” source address for the query. The open resolver, believing the spoofed source address, sends a response which can be hundreds of bytes in size to the machine it believes originated the request. The end result is that the victim’s network connection is hit with several hundred bytes of information that were not requested. They will be discarded when they reach the target machine, but not before exhausting a portion of the victim’s network bandwidth. And the traffic reaching the victim comes from the open resolver, not from the machine or machines used to initiate the attack. Given a large list of open resolvers to reflect against, an attacker using a DNS amplification attack can hide the origin of their attack and magnify the amount of traffic they can direct at the victim by a factor of 40 or more.
DNS operators who operate open resolvers without taking precautions to prevent their abuse generally believe they are harming nobody, but as the Spamhaus DDOS proves, open resolvers can be effortlessly coopted by attackers and used in criminal attacks on third parties.
Beginning in 2005, ISC began publicly advocating for operators to stop operating open resolvers. In 2007 we changed the behavior of BIND, the world’s most popular nameserver software, so that open resolvers would no longer be the default. And in 2008 ISC CTO Joao Damas co-authored RFC 5358, “Preventing Use of Recursive Nameservers in Reflector Attacks.” For 8 years now we’ve been consistently leading on this issue as part of our mission to strengthen the DNS infrastructure, improve network security, and contribute to a stable and open internet. But there are still many open resolvers in operation. In order to avoid being pressed into service as an unwitting pawn in a criminal conspiracy, ISC strongly advises that DNS operators make use of the security features in BIND to enforce reasonable access permissions on their recursive resolvers.
At ISC, supporting the health of the Domain Name System and improving the security and stability of an open internet are core values and the biggest part of our public mission. If you would like to know more about us and our efforts, follow us on Twitter or Linked In, or get in touch via our contact page.
Next week we’ll have more to share about how current ISC development efforts are targeting reflection attacks and other network abuse to create a better internet for everybody.