Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

DDoS Attacks Via DNS Recursion

Posted by Zonk on Thu Mar 16, 2006 02:37 PM
from the to-understand-recursion-you-must-understand-recursion dept.
Security The Internet IT
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
+ -
story

Related Stories

[+] DDoS on Domain Registrar 69 comments
miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

DDoS Attacks Via DNS Recursion 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • djbdns (Score:3, Informative)

    by Russ Nelson (33911) on Thursday March 16 2006, @02:40PM (#14935491) Homepage
    That's why you run djbdns [cr.yp.to] -- by default it's closed to recursive queries.

    • Re:djbdns (Score:5, Informative)

      by PaisteUser (810863) on Thursday March 16 2006, @02:51PM (#14935592) Homepage
      It's not that difficult to make BIND9 not respond to recursive queries, add "recursion no;" to the "options {};" section of the named.conf file, reload the config and your good to go.

      • Fixing bind9 (Score:5, Informative)

        by pjkundert (597719) on Thursday March 16 2006, @03:28PM (#14935972) Homepage
        If you run an internet facing bind9 DNS server, you may want to allow recursion (caching) to your internal clients, while continuing to serve DNS requests to external clients for your domains (those for which you are "authoritative").

        Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):

        options { allow-query { any; }; allow-recursion { 192.168.0.0/24; 192.168.1.0/24; localhost; }; ...

          • Re:djbdns (Score:4, Interesting)

            by Perl-Pusher (555592) on Thursday March 16 2006, @03:35PM (#14936021)
            I have 3 dns servers are NAT'd on the private lan and allow recursion, the public one outside doesn't. I'm not a DNS expert but I haven't had any issues from users or attacks.

          • Re:djbdns (Score:4, Informative)

            by TCM (130219) on Thursday March 16 2006, @08:13PM (#14938001)
            BIND9 has a concept called views. Views are separate sets of option{}; and zone{}; scopes based on client address or destination address or even something else.

            It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.

            http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06 .html#view_statement_grammar [bind9.net]

    • Separate authoritative and recursive (Score:4, Informative)

      by Aspirator (862748) on Thursday March 16 2006, @02:54PM (#14935635)
      I am quite a fan of djbns, but the key here is to separate authoritative and
      recursive, which is something that DJB has been preaching for a while.

      Consequently djbdns won't do this, but it is quite possible to make bind not
      do this also. (In fact Bind now has come round and reccomended this.)

      It seems to me like a no-brainer, why is splitting the two such a problem?

      SDNS wouldn't hurt either, but that will take a lot more doing.
      • why is splitting the two such a problem?

        It isn't that hard, but it's perceived to be difficult. You have to set up your authoritative records on a separate IP address from your current DNS server (e.g. using tinydns). Then you tell your registrar that your nameserver has a different IP address. At that point, the only queries coming to your old IP address should be recursive queries coming from your users. Then you can close off recursive queries coming from the rest of the net (e.g. using dnscache).

        The
    • With his weird license? God. He writes good software. He's even a bloody certified genius, but he's amost as insufferable as Dave Weiner. Don't try and submit a patch - unless you are just donating to his case, and want nothing as a contributor. Also, be prepared for the contempt of his responses.

      Besides, who wants software written by a cartoon bear?
        • No, most of his software is copyrighted. The only djb software which is in the public domain is software that he has explicitly given to the public domain. The term for the rest of his software is "license-free". You don't need a license to use it. Just download it! Copyright law lets you do anything you want with a copyrighted work, except redistribute it. You can publish patches, as we've done with netqmail [qmail.org].

  • Doctor, it hurts when I go like this (Score:3, Insightful)

    by $RANDOMLUSER (804576) on Thursday March 16 2006, @02:46PM (#14935545)
    > 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

    OK, don't do that then.

  • recursion: n.

        See recursion [catb.org]. See also tail recursion [catb.org].

    From the Jargon File [catb.org].

  • That's a bold statement (Score:3, Interesting)

    by fak3r (917687) on Thursday March 16 2006, @02:51PM (#14935602) Homepage
    having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

    Anyone want to discuss how DNS Cache [cr.yp.to] addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?

  • Disable recursion in BIND (Score:5, Informative)

    by Ponga (934481) on Thursday March 16 2006, @02:55PM (#14935646)
    Put this line in your zone definition:
    recursion no;

    Problem solved.

  • Split-split DNS Design (Score:5, Informative)

    by lazarus (2879) on Thursday March 16 2006, @03:25PM (#14935945)
    For enterprise systems a split-split DNS design is the best. There are three components to this design:

    ADVERTISER
    RESOLVER
    INTERNAL

    The advertiser sits outside, Internet-facing, and is only responsible for resolving outside queries for your own domains. It does not do recursion or dynamic updates, and has a secured cache.

    The resolver and internal sit inside, are intranet-facing, and handle internal requests for outside domains, and internal requests for internal domains respectively.

    There are lots of articles on-line which show how to set this up.

  • Recursion considered harmful (Score:4, Funny)

    by Anonymous Coward on Thursday March 16 2006, @03:26PM (#14935952)
    Should have used gotos! -1 for the functional language weenies!

  • slashdot DNS is OPEN! (Score:4, Informative)

    by Anonymous Coward on Thursday March 16 2006, @03:51PM (#14936157)
    http://www.dnsreport.com/tools/dnsreport.ch?domain =slashdot.org [dnsreport.com]

    FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

    Server 66.35.250.12 reports that it will do recursive lookups. [test]
    Server 12.152.184.136 reports that it will do recursive lookups. [test]
    Server 12.152.184.135 reports that it will do recursive lookups. [test]

    See this page for info on closing open DNS servers.

    • Re:Could someone explain how the attack works? (Score:5, Informative)

      by Anonymous Coward on Thursday March 16 2006, @02:58PM (#14935677)
      No compromise needed. You just send requests to the DNS server spoofing yourself as the victim's IP. (UDP is much easier to spoof, and can be sent out very quickly.) The replies, which are some 30 times larger than the requests, get sent to the spoofed IP (victim). It is a classic form of amplification attack.

    • Re:Could someone explain how the attack works? (Score:5, Informative)

      by LurkerXXX (667952) on Thursday March 16 2006, @03:01PM (#14935700)
      Then you don't understand DNS resolvers. Did you bother reading the linked site? All you need to do is query an open resolver with some domain you set up (ex my.span.com), then change the authoritiative DNS of your registered domain as the target open DNS resolver. Now whenever someone anywhere in the world queries for my.spam.com, it hits your DNS server (until their local server caches it). It looks like you are hosting the spammer.

      Another problem:
      (Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.

      So with a dialup account, it would be possible to saturate a T1.

      There's plenty of ways for them to mess with you without any 'compromised' machines on your network.

    • Of course there is... (Score:5, Informative)

      by emil (695) <cfisher.rhadmin@org> on Thursday March 16 2006, @04:10PM (#14936309) Homepage
      There really isn't a good reason one nameserver can't serve internal and external users.

      Back in the bind 4 days, when I did serious DNS, my company wanted a few servers visible in their domain(s) for external dns host resolution.

      For people behind the firewall, they wanted a far more extensive list of hosts that were not to be seen for queries outside the firewall.

      I did this by using scp to transfer the zone files from the external to the internal DNS server; the internal server would then "cat" the additional hosts to the zone and HUP the named.

      AFAIK modern BIND uses "zones" so you can accomplish the above on one server, if you want. I've never used it, but I can see a number of situations where I'd need my above solution even with this feature.

      What BIND needs is not a "recursion no;" option, but instead a "recursion eth0;" or "recursion 1.2.3.*;" so recursive queries must originate from a trusted network.

      Remember also that not everyone in the world uses BIND - people with ActiveDirectory or NDS name servers might be screwed until a vendor patch.

    • view "internal" {
        match-clients {
          10.0.0.0/8;
        };
        recursion yes;
        zone "example.com" {
          yadda yadda yadda;
        };
      };

      view "external" {
        match-clients {
          any;
        };
        recursion no;
        zone "example.com" {
          blah blah blah;
        };
      };

      • Re:When BIND is fixed I'll implement it (Score:4, Informative)

        by gkitty (869215) on Thursday March 16 2006, @05:06PM (#14936699)
        In Bind9 you don't have to return cached data, so though it happens by default you can turn it off ("additional-from-cache"):

        view "internal" {
                match-clients { internals; guests; };
                recursion yes;

                zone "." {
                        type hint;
                        file "bootstrap/cache";
                };

                zone "example.com"{
                        type master;
                        file "example-int.com";
                };
        };

        view "external" {
                match-clients { any; };
                recursion no;
                additional-from-auth no;
                additional-from-cache no;

                zone "example.com"{
                        type master;
                        file "example-ext.com";
                        allow-query { any; };
                };
        };

        ---------

        I believe that should prevent bind from being too useful from the outside.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.