|
||
|
||
Three vectors were exploited in the recent DDoS attack against Spamhaus:
1) Amplification of DNS queries through the use of DNSSEC signed data
2) Spoofed source addresses due to lack of ingress filtering (BCP-38) on originating networks
3) Utilisation of multiple open DNS resolvers
While 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) “should” be practised as part of any provider’s network configuration, it is 3) that requires “you and I” ensure that systems are adequately configured.
The fact is open DNS resolvers are nothing new and the open resolver project is tracking approximately 27 million open DNS resolvers. What I find interesting is that their database can be queried for an IP range to see how many open resolvers are listed.
Out of curiosity, I entered the /24 prefix that my personal IP address resides on, 81.174.169.0/24. This range belongs to Plusnet, a popular ISP located within the UK. I was quite surprised that a list of 9 IP addresses came back, I wasn’t really expecting any, and fortunately, none of them were mine!
Out of further curiosity, I started using dig to fire off a DNS query for “www.bbc.co.uk” to each of the IP’s. Most of them timed out, but as I worked down the list, sure enough, one of them returned an answer. I ran a port scan but couldn’t detect any well known open ports other than DNS. So within a few minutes, I had found an open resolver being run on an IP address within the same /24 as my own. This ISP has hundreds of thousands, if not millions of customers, so if extrapolated, there could be thousands of open resolvers present via this one ISP. (Having said that, this list of open resolvers vs AS numbers only lists 7 open resolvers against Plusnet, so maybe I was just (un)lucky…) I would like to think my ISP has implemented BCP-38, but what if they haven’t? And how many other ISPs out there haven’t?
I have no idea whether CPE routers are providing this open resolver capability or whether people are genuinely running a poorly configured DNS server. The Measurement Factory perform regular surveys for open resolvers and network providers can get them to email a list of open resolvers. They have a useful page here.
I guess it’s unfair to place the blame solely at sysadmins when the default setting for BIND up until 9.4 was to allow queries from anyone, and I am sure there are many *nix/*BSD distros that shipped with BIND versions <9.4 (RHEL 5 anyone?)—although you could argue “Why haven’t they upgraded?” as we are talking pretty old code here. No, I think more culpable are the network operators who route spoofed traffic out from their network; it is inexcusable that they have not implemented BCP-38 (also known as RFC2827).
However, looking at that list of open resolvers vs ASNs again, the top offender is Brazil, followed by a big block in Asia-Pac, HINET is Taiwan, then Chile, Korea etc. To go to each of these providers, figure out which local networks are the offenders, and communicate all this in a meaningful, constructive way to the end customers, well, it’s a gargantuan task!
Unfortunately I do not see a simple solution to this problem, and I fear that with the publicity the Spamhaus attack generated, we will ultimately see more of these kinds of attacks.
If you are curious like me, why not check your local ISP range and see if you can find any open resolvers? You never know what you might find! I’ll buy a pint for the person who can find the most… at a date/time/location of my choosing… provided it’s in the UK… in the South somewhere… near Reading or Basingstoke! ;-)
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
A World-Renowned Source for Internet Developments. Serving Since 2002.
If people are running Bind locally (eg. to provide DNS to a home network), it may be that they’ve updated Bind itself but never updated the config file. If the config doesn’t actually break badly enough to keep Bind from starting, they may not even notice that it’s one that still has Bind listening on the external interface and allowing recursion from anyone. Or, when then changes went in, it may’ve broken things and rather than troubleshoot it correctly they just slapped “any” in and when it worked they called it good.
I’m not sure I’d blame the casual admins for that last either. I know I get griped at quite a bit at work when I insist on figuring out what the right way to do something is even though we’ve got a quick-and-dirty way that works, and the people griping are from the corporate IT group in charge of the network for the entire company. I’m guilty of quick-and-dirty myself at times, but at least I have the decency to mark it “NEEDS FIXED”.
Looking at the magnitude of all of this (open resolvers, able to spoof, and actual a big attack going on), we have an attitude, lack of knowledge and mentality issue on our hands. Technically everything could be nice and dandy, but no-one cares (again, underlined by the numbers).
Not everything in that list is actually an open resolver - PowerDNS servers (even if they don’t provide recursion) also seem to be included, e.g. dns-eu1.powerdns.net (46.165.192.30) is also included in the list.