Recently we have faced one of largest DDOS attacks in history. The attacks were launched against SPAMHAUS website and about 300Gbit/s was thrown at them. The main reason attackers could reach such enormous traffic is by using open DNS resolvers to amplify the attacks.
It’s so called Smurf attack with few modifications made. Smurf is a denial-of-service attack in which large amounts of packets with the intended victim’s spoofed source ip are sent to a list of servers, which causes all those servers to reply to the request, causing significant traffic to the victim’s ip.
In our case if you query an open DNS resolver for a domain and spoof your ip with victim’s ip, DNS resolver will send response to the victim. DNS response can become quite large if you add DNSSEC parameters. This means, from simple
dig query to DNS server, you get response of much larger size. So in theory if you throw 1Mbit to DNS resolver, it will amplify your traffic for up to 50 times. You get 50Mbit from your poor 1Mbit connection. Nowadays home connections in Slovenia range from 10Mbit up to 100Mbit, considering you live in a city.
As you may know, best equipment that holds our internet backbones together can hold up to 100Gbit per port. That’s maximum traffic they can handle. You can bond few of those ports together, but sooner or later you will reach hardware limits.
As system administrator I was wondering how secure our Slovenian DNS servers are, so I made a little research. I scanned all Slovenian ip ranges from GeoIPDatabase for DNS servers and came up with interesting results.
Scanning 1972757 slovenian ip’s got me in total of 4659 DNS servers. (I probably missed some private ranges, so this may not be full list and lacks few ip’s) Not all of them are vulnerable to the attacks but some of them are. Usually these DNS servers are run on very strong connections, meaning they can produce from 100Mbit traffic per second on.
Further analysis showed that from all discovered DNS servers 1413 are open and recursive and therefore prone to abuse. I did not test possible rate-limited recursive DNS servers, since that would put me in even more dangerous position as I already am, by scanning the ranges for open ports. In theory I would have to test up to 10 concurrent DNS requests to specific server without failed responses, to be sure it’s not rate limited, but that could already be considered as flooding of the service and therefore an attack.
Reverse DNS resolving showed some really interesting results. My hypothesis was, that these servers are mainly owned by people that run servers at home for webhosting or similar stuff. I couldn’t be more wrong.
What I discovered was, servers belong to:
Several faculties in Slovenia
Webhosting companies (at least they should have secured their DNSes!)
Smaller ISP’s (They allow everyone to use their DNSes not only their own clients)
Web design companies
High-school DNS servers
From listed, you can imagine some of these open DNS servers may have few gigabit connections, that attackers can more or less abuse. For such small country we have rather large number of open DNSes…
Test your own DNS server by entering ip on this website: http://openresolverproject.org/
Consider adding rate limit on your DNS server if you must have recursive DNS: http://www.redbarn.org/dns/ratelimits
Allow recursive DNS only to your clients from ip ranges that you own. Refuse the rest.
ISP’s could prevent source ip spoofing and prevent such attacks from happening, but this is probably too radical thing to do, since it may cause domino effect and cause problems somewhere else.
I know this is delicate issue. Scanning was made for research purposes only, list of open DNS resolvers was deleted after extract and was only used for purpose of this blog post. The results of my research may have changed after my blog post was published.