Although this week's large-scale DDoS attack against Spamhaus may not have been as crippling as early reports suggested, they were noteworthy in that they shined spotlights on a couple of the Internet's many underlying weaknesses. Among them are open DNS resolvers, which enable a technique called DNS amplification wherein attackers bombard target servers with as much as 100 bytes of network-clogging traffic for every one byte they send out.
It remains to be seen whether the parties with the know-how and clout will start addressing these shortcomings in a holistic and meaningful way to make the Internet more secure. Unfortunately it will probably take an incident even more devastating and damaging to get that ball rolling.
Threat Post has a good writeup about open resolvers and DNS amplification and their role in the DDoS assault on Spamhaus:
The underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists, and blacklisted webhosts to great success.
Jared Mauch of the Open DNS Resolver Project told Threat Post that the botnot involved in the Spamhaus attacks used more than 30,000 unique DNS resolvers, and "in a larger attack scenario, the collective power of these resolvers could have been used to keep much larger segments of the global network offline."
The solution: "The Open DNS Resolver Project and others, such as DNS service providers Afilias, recommend the implementation of source address validation," according to Threat Post. "An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing."
Separately, system administrator Trevor Pott has a detailed blog post on The Register in which he confessed to unwittingly contributing to the DDoS attacks, resulting from "a simple configuration error when setting up a DNS server" residing on the edge of his network. He dubbed it an "edge scrubber" that functions as a router, handing out IP addresses to servers and routers within the data center. It also "serves various 'scut work' functions on behalf of all the other devices on the network. It is the data center-local network time server, external DNS server, IDS, edge firewall, and bandwidth limiter."
The problem, he said, was that he neglected to disable recursive lookups on the server, which made it a tool for DNS amplification. "DNS servers can be configured in one of two basic ways," he explained. "In one possible configuration, a DNS server serves only domains for which it is responsible (authoritative)," he wrote. "In the other configuration the DNS server serves those domains and goes looking on the wider Internet for any domains it isn't personally set up to manage (recursive).... Recursive DNS servers are what allow the Internet to work. They are also an attack vector."
He explained in detail how he remedied the configuration problem with his server. In short, the problem stemmed from an assumption that BIND (an implementation of the DNS protocols) disabled recursion by default; the fix entailed "instructing BIND to only honor recursion requests from servers inside [his] data center."
More details on configuring your DNS servers to prevent DNS amplification attacks are available at the Open DNS Resolver Project website.
This story, "Fix your DNS servers or risk aiding DDoS attacks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.