I think it’s not so much the open resolvers, although anything that’s open unintentionally should be closed. Most resolvers should only be handling queries from the local network or downstream, not from the outside world.

The real problem is the address spoofing that allows these attacks in the first place. The attack depends on being able to forge the source address and have the packets routed. But unless your network’s carrying a lot of transit traffic from a variety of address space, you shouldn’t be allowing that. Upstream interfaces should only be allowing traffic out if it’s from addresses your network should be carrying. Downstream interfaces should only be allowing traffic in that’s from addresses that should be downstream of that interface. And the upstream interfaces shouldn’t be allowing traffic in that’s not to an address on or downstream of your network. That kind of filtering should be standard on every network it’s feasible to do on, and it’d shut down this attack (and many others) at the source.

I know it won’t work for all networks. But there’s a lot of networks near the edge where you find only a reasonable chunk of address space that ought to be sending traffic up through that interface, where you’re connecting end-user networks that shouldn’t be carrying other people’s traffic. Why are those connections still allowing spoofed/forged traffic through them?

... also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc)

I’m not aware of cable modems that have recursive DNS server support, though RGs (residential gateways) surely support them.  But in those devices, of all CPE deployed, would be manageable by the service provider such that they could change that setting universally.

Do you have evidence that cable modems are a big part of the recursive DNS problem?  If I had to guess where the problems were, I would first list customer-owned routers, then DSL modems, then non-firewalled hosts, and then firewalls/routers NATing to an internal DNS server.

I suspect we will see more of this happening now the “proof-of-concept” is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean “breaking” some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the “open resolvers” out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

Why are you calling this a proof-of-concept?  This is attack on CloudFlare appears to be the real thing.

Why would we need to come up with a single solution?  The immediate mitigation approach was traffic scrubbing, and the long-term approach is closing open DNS resolvers and minimizing the amount of spoofable hosts by using features such as uRPF.  As it was, CloudFlare “mitigated” the issue significantly by having used anycast across many sites.

Wow… Lots of articles and news items on this. Guess we are worrying (for a good reason), but also get out of proportion.

Nice articles:

http://www.circleid.com/posts/20130402_open_dns_resolvers_coming_to_an_ip_address_near_you/

http://www.techrepublic.com/blog/security/ddos-strike-on-spamhaus-highlights-need-to-close-dns-open-resolvers/9296

Another nice one, whatever is going on, it’s getting attention on all fronts :-).

http://gizmodo.com/5992652