The Million Plus Open Resolver Challenge
The Attack: 25 Gigabits. Sustained.
The Attacker: You?
The Victim: You?
The Movie: See a slice of the DDoS in action.
Could you withstand a 25 Gigabit flood without having it adversely affect your business? One provider endured just that recently in April 2009, with spikes upwards of 30 Gigabits in aggregate!
Over one million open DNS resolvers were used to disrupt their business and take them offline. Yet, nearly ZERO compromised machines participated. How? It is very similar to the ICMP Smurf attacks of the 90s. With the ability to spoof packets on the Internet and route traffic through improperly configured DNS recursive resolver, this attack used the amplification power of DNS queries to wield a highly effective flood. Studies have shown that this may actually be only a fraction of the actual number of open recursive servers out there on the Internet today.
You may have been an unwitting participant in a DNS amplification attack, or worse, what if you had been the victim?
There are several things that can and should be done to help reduce the impact of this threat. Please visit RFC 5358 for general some tips on how to prevent the undesirable use of recursion for your gear. This can include regular DNS servers that are mis-configured or even CPE (Customer Premise Equipment) gear such as DSL routers and modems! See our instructions for specific configuration examples.
If you are interested in receiving regular reports of open resolvers within your BGP ASN or CIDR netblock, we'd like to help you. Send an e-mail to email@example.com and we will help you get set up with a free daily report for IP addresses in your network.
If you are interested in learning more about the finer details regarding this attack vector and why it is a problem, you might visit a few of these links:
- Team Cymru "Who and Why Show" - DNS Amplification Attacks (5 minute YouTube video)
- Team Cymru DNS Open Recursion Whitepaper