Is Your Open DNS Resolver Part of a Criminal Conspiracy?

It has been a very eventful week in the field of DNS operations. In addition to the BIND vulnerability disclosed by ISC this week, the DNS world has been buzzing with news about “the biggest Distributed Denial of Service attack to date”, directed against Spamhaus by parties critical of their decision to list Cyberbunker as a spam source. As an industry leader in the field of DNS software, ISC sees the Spamhaus DDOS as a perfect opportunity to remind DNS operators why it is important to not operate an “open” recursive resolver, a policy recommendation we have been making since 2005.

A significant component of the DDOS traffic targeted at Spamhaus is coming from a technique that has been known for years — a variety of reflection attack commonly known as a “DNS amplification attack.” By relying on the fact that an answer to a DNS query can be much larger than the query itself, attackers are able to both amplify the magnitude of the traffic directed against a DDOS victim and conceal the source of the attacking machines.

To accomplish this, the attacker sends a DNS query a few bytes in size to an open resolver, forging a “spoofed” source address for the query.  The open resolver, believing the spoofed source address, sends a response which can be hundreds of bytes in size to the machine it believes originated the request.  The end result is that the victim’s network connection is hit with several hundred bytes of information that were not requested.  They will be discarded when they reach the target machine, but not before exhausting a portion of the victim’s network bandwidth. And the traffic reaching the victim comes from the open resolver, not from the machine or machines used to initiate the attack.  Given a large list of open resolvers to reflect against, an attacker using a DNS amplification attack can hide the origin of their attack and magnify the amount of traffic they can direct at the victim by a factor of 40 or more.

DNS operators who operate open resolvers without taking precautions to prevent their abuse generally believe they are harming nobody, but as the Spamhaus DDOS proves, open resolvers can be effortlessly coopted by attackers and used in criminal attacks on third parties.

Beginning in 2005, ISC began publicly advocating for operators to stop operating open resolvers. In 2007 we changed the behavior of BIND, the world’s most popular nameserver software, so that open resolvers would no longer be the default. And in 2008 ISC CTO Joao Damas co-authored RFC 5358, “Preventing Use of Recursive Nameservers in Reflector Attacks.” For 8 years now we’ve been consistently leading on this issue as part of our mission to strengthen the DNS infrastructure, improve network security, and contribute to a stable and open internet. But there are still many open resolvers in operation. In order to avoid being pressed into service as an unwitting pawn in a criminal conspiracy, ISC strongly advises that DNS operators make use of the security features in BIND to enforce reasonable access permissions on their recursive resolvers.

At ISC, supporting the health of the Domain Name System and improving the security and stability of an open internet are core values and the biggest part of our public mission. If you would like to know more about us and our efforts, follow us on Twitter or Linked In, or get in touch via our contact page.

Next week we’ll have more to share about how current ISC development efforts are targeting reflection attacks and other network abuse to create a better internet for everybody.

10 Comments

  1. Randal L. Schwartz March 28, 2013 Reply

    So you’re advocating that google shut down 8.8.8.8 and 8.8.4.4? Have you let them know?

    • Author
      Michael McNally March 28, 2013 Reply

      You’re correct, of course, but “don’t operate an open resolver unless you really know what you’re doing” doesn’t get the message across quite as clearly as “don’t operate an open resolver.” The overwhelming proportion of operators running open resolvers have not performed any realistic assessment of the risks and benefits, and in a large majority of cases are completely unaware of their contribution to reflection attacks. This blog post was intended to raise awareness of the issue and not to be the definitive word on the subject. Google may operate in peace, with our blessing (if they care to have it.)

    • Trevor Sullivan April 26, 2013 Reply

      I think by 8.8.8.8 and 8.8.4.4, you actually meant 2001:4860:4860::8888 and 2001:4860:4860::8844. :)

  2. David McRae March 28, 2013 Reply

    So you advocate damaging the functionality on the internet because ISPs can’t police their users? Your utopian world where everyone has closed off open resolvers won’t help anything. The “bad guys” will simply start exploiting DNSSEC and if that is “fixed”, they’ll move on to the next thing. Closing off useful services running on public ports is a race to the bottom.

    I thought ISC stood for the open Internet and not scare mongering?

    • paul vixie March 28, 2013 Reply

      No. “Damage the functionality of the internet” is a gross mischaracterization. ISC has helped define and construct and operate “the internet” and we want its continuance. That sometimes means preventing various kinds of traffic, when that traffic has no public benefit and great potential public harm.

      We know that the bad guys will continue to find new ways to be bad — that’s what being a bad guy means! And we’re not just playing “whack-a-mole” here, closing down vulnerability after vulnerability in an endless series of empty meaningless symbolic gestures.

      Rather, we’re solving internet public safety problems. As long as you can run your own recursive name server (and 85% of you who do this are using our free BIND software to do it!), or you can reach well-monitored open recursive servers like google’s or opendns’s, or you can reach the recursive dns servers operated for you by your ISP, then you’re doing fine. we won’t try to remove any “useful services”.

      ISC does stand for an open internet. our mission statement is explicit:

      Internet Systems Consortium, Inc. (ISC) is a non-profit 501(c)(3)corporation dedicated to supporting the infrastructure of the universal connected self-organizing Internet – and the autonomy of its participants – by developing and maintaining core production quality software, protocols, and operations.

      Paradoxically, an open internet has to be able to refuse some service to some people, like for example, refusing to openly reflect and amplify attacks.

      Thanks for your interest in ISC and internet public health and safety!

      paul vixie
      chairman and founder
      internet systems consortium

  3. Larry Elkin March 30, 2013 Reply

    I hope you don’t mind a question from a relatively non-technical reader. I have been trying to make sense of a paragraph in today’s NY Times story on the recent attack:

    Closing an open resolver, unfortunately, is not as simple as flipping a switch or downloading some software. Finding out if your home cable box is an open resolver, for instance, requires you to call your cable company and tell them that you do not want to be running an open resolver — a tough request when most of the world’s population does not even know what an open resolver is.

    Is my quiet little cable box running a DNS service without my knowing? If not, how is “resolving” anything — open or otherwise? Or is the Times reporter simply more confused than I am?

    Thanks for your post and your efforts to keep us all up and running. Best regards.

  4. Cali April 1, 2013 Reply

    While I do not support DDoS attacks, I surely do not support spamhaus.com which has listed our entire network just because the website stophaus.com which they do not like is hosted in our network, no spam is being issued through any of our servers.
    The idea of a centralized organization such as spamhaus.com is much more dangerous than any open dns resolver in my opinion, this company definitely does not understand how the Internet works and I find very weird and shocking to see ISC listed on their sponsors page.

  5. Aaron Toponce April 5, 2013 Reply

    Everyone, close your open resolver. I’m eager to go back to HOSTS.TXT.

  6. Robert Thomas April 23, 2013 Reply

    So, I am betting the source of the isc.org attacks are in fact FROM isc themselves to “encourage” of force people to close their open recursive servers to satisfy isc goals? Deny it…It makes too much sense to me. Thanks for the headaches

    • Author
      Michael McNally April 24, 2013 Reply

      So, I am betting the source of the isc.org attacks are in fact FROM isc themselves to “encourage” of force people to close their open recursive servers to satisfy isc goals?

      While I suspect it would probably be more fun to be the nefarious evil geniuses you suppose us to be, the comparatively boring explanation is that a very short query for isc.org returns a relatively large response (because our zones are DNSSEC signed and include RRSIG records.)

      That makes it a useful query for persons wanting to launch amplification attacks because the query size to query response ratio (i.e. the amplification factor) is fairly high.

Leave a reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

What is 9 + 4 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)