Paul Estes writes to Nanog recently,
We have recently noticed a deluge of DNS requests for “ANYANY” records of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers. [...] It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some addresses that have made >250000
requests for this name in a short period of time.
A DNS based DDOS attack which has not been seen at this magnitude before. Sending thousands of very small, targeted, requests to resolvers around the world causes resolvers extra work, and in this case caused all of these requests to bear down on the .cc name servers.
The effectiveness of dns based DOS is clear – it is ‘relatively’ easy to spoof (as its udp) should appropriate filters not be in place to stop spoofing, and a small query can result in a very large reply. Querying for a 4k TXT resource record will be very effective, for instance. Rob Thomas made the point most effectively:
These attacks have reached 8Gbps at times, and that sort of figure does raise eyebrows. Perhaps we can capitalize on that and gain some attention to both the problems of DNS amplification attacks (yes, UDP can be abused in many ways, but not all UDP services offer a 1:73 return on investment).
In my mind, the benefits of using open resolvers as a ‘view’ of dns from other points on the internet becomes moot when open recursion permits attacks of this kind. In my mind, within the next twelve months, bind distributions which are shipped by your favourite distributions will be set to “recursion no” – preventing worldwide recursion access. Your ISPs customer-facing resolvers will sit in a walled garden – log off from their service, and you can’t use them.
It’s time for open dns resolvers to be as socially unacceptable as open dns relays. Turn yours off.
Turning everybody’s off will be no quick process; there are 580,000 open resolvers in the wild. Blocking dns servers which permit general recursion will turn horribly political, in the same way that email RBLs have.
There is the mindset that we can fix this problem by preventing spoofing (which would be good, but recursion abuse is still amplified the more dns servers an abuser has at his fingertips).
There’s also the mindset that support desks will be limited when nameservers are closed, they wont be able to view dns “as a customer”, but expect the larger ISPs to add dns views to their router looking glasses. These applications will be easier to lock down than a default bind install.
Discussion
No comments yet.