The Million Plus Open Resolver Challenge

The Attack: 25 Gigabits. Sustained.
The Attacker: You?
The Victim: You?
The Movie: See a slice of the DDoS in action.

The Problem

Could you withstand a 25 Gigabit/second packet flood without having it adversely affect your business? In 2009 one provider was on the receiving end of a DNS amplification and reflection attack that peaked upwards to 30 Gb/s in aggregate. In 2013 attacks have risen ten times that size, to 300 Gb/s and larger. They are sure to climb higher as long as there remains a substantial number of public open resolvers and the ability to spoof source IP addresses.

Over one million open DNS resolvers were used to disrupt their business and take them offline. Yet, nearly ZERO compromised machines participated. How? It is very similar to the ICMP Smurf attacks of the 90s. With the ability to spoof packets on the Internet and route traffic through improperly configured DNS recursive resolvers, this attack used the amplification power of DNS queries to wield a highly effective flood. Studies have shown that this may actually be only a fraction of the actual number of open recursive servers out there on the Internet today.

You may have been an unwitting participant in a DNS amplification attack, or worse, what if you had been the victim?

The Prevention

There are several things that can and should be done to help reduce the impact of this threat. Please visit RFC 5358 for general some tips on how to prevent the undesirable use of recursion for your gear. This can include regular DNS servers that are mis-configured or even CPE (Customer Premise Equipment) gear such as DSL routers and modems! See our instructions for specific configuration examples.

If you are interested in receiving regular reports of open resolvers within your BGP ASN or CIDR netblock, we'd like to help you. Please sign up at no cost for TC Console to get open resolver reports for your network.

Additional Resources

If you are interested in learning more about the finer details regarding this attack vector and why it is a problem, you might visit a few of these links:


Bind 9.x Authoritative

For BIND 9.x authoritative servers, apply the following global options:

  options {
      recursion no;
      additional-from-cache no;

Beginning with BIND versions 9.4 and later, most configurations would default to a closed resolver. Those running earlier versions should upgrade if possible.

Bind 9.x Caching

For BIND 9.x caching servers, additionally create access control lists and use "views" to explicitly permit a limited set of source addresses from your trusted network issue queries to your caching server:

  # example only, replace a list of your CIDR blocks
  acl "trusted" {;

  options {
      recursion no;
      additional-from-cache no;
      allow-query { none; };

  view "trusted" in {
      match-clients { trusted; };
      allow-query { trusted; };
      recursion yes;
      additional-from-cache yes;


Please see the following Microsoft TechNet examples:

Team Cymru

Copyright © 2017 Team Cymru. All Rights Reserved.