The Million Plus Open Resolver Challenge
The Attack: 25 Gigabits. Sustained.
The Attacker: You?
The Victim: You?
The Movie: See a slice of the DDoS in action.
Could you withstand a 25 Gigabit/second packet flood without having it adversely affect your business? In 2009 one provider was on the receiving end of a DNS amplification and reflection attack that peaked upwards to 30 Gb/s in aggregate. In 2013 attacks have risen ten times that size, to 300 Gb/s and larger. They are sure to climb higher as long as there remains a substantial number of public open resolvers and the ability to spoof source IP addresses.
Over one million open DNS resolvers were used to disrupt their business and take them offline. Yet, nearly ZERO compromised machines participated. How? It is very similar to the ICMP Smurf attacks of the 90s. With the ability to spoof packets on the Internet and route traffic through improperly configured DNS recursive resolvers, this attack used the amplification power of DNS queries to wield a highly effective flood. Studies have shown that this may actually be only a fraction of the actual number of open recursive servers out there on the Internet today.
You may have been an unwitting participant in a DNS amplification attack, or worse, what if you had been the victim?
There are several things that can and should be done to help reduce the impact of this threat. Please visit RFC 5358 for general some tips on how to prevent the undesirable use of recursion for your gear. This can include regular DNS servers that are mis-configured or even CPE (Customer Premise Equipment) gear such as DSL routers and modems! See our instructions for specific configuration examples.
If you are interested in receiving regular reports of open resolvers within your BGP ASN or CIDR netblock, we'd like to help you. Send an e-mail to firstname.lastname@example.org and we will help you get set up with a free daily report for IP addresses in your network.
If you are interested in learning more about the finer details regarding this attack vector and why it is a problem, you might visit a few of these links:
- Team Cymru "Who and Why Show" - DNS Amplification Attacks (5 minute YouTube video)
- Team Cymru DNS Open Recursion Whitepaper