DDoS Attacks Via DNS Recursion
Posted by
Zonk
on Thu Mar 16, 2006 01:37 PM
from the to-understand-recursion-you-must-understand-recursion dept.
from the to-understand-recursion-you-must-understand-recursion dept.
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
Related Stories
[+]
DDoS on Domain Registrar 69 comments
miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

djbdns (Score:3, Informative)
(http://russnelson.com/)
Re:djbdns (Score:5, Informative)
(http://paisteuser.blogspot.com/)
Fixing bind9 (Score:5, Informative)
(http://perry.kundert.ca/)
Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):
Re:djbdns (Score:4, Interesting)
Re:djbdns (Score:5, Funny)
(http://russnelson.com/)
Re:djbdns (Score:4, Informative)
It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch0
Separate authoritative and recursive (Score:4, Informative)
recursive, which is something that DJB has been preaching for a while.
Consequently djbdns won't do this, but it is quite possible to make bind not
do this also. (In fact Bind now has come round and reccomended this.)
It seems to me like a no-brainer, why is splitting the two such a problem?
SDNS wouldn't hurt either, but that will take a lot more doing.
Doctor, it hurts when I go like this (Score:3, Insightful)
OK, don't do that then.
Recursion == recursion == recursion == ... (Score:3, Funny)
(http://jrascher.wordpress.com/ | Last Journal: Thursday June 22 2006, @10:09PM)
See recursion [catb.org]. See also tail recursion [catb.org].
From the Jargon File [catb.org].
Could someone explain how the attack works? (Score:2, Interesting)
(http://michael.bacarella.com/ | Last Journal: Friday November 01 2002, @06:19PM)
From what I understand of DNS resolvers, this attack can't work unless there's another compromise at play here. Either a compromise of one of the victim host's zones, or a compromise of the servers hosting the open resolvers themselves.
Re:Could someone explain how the attack works? (Score:5, Informative)
Re:Could someone explain how the attack works? (Score:5, Informative)
Another problem:
(Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.
So with a dialup account, it would be possible to saturate a T1.
There's plenty of ways for them to mess with you without any 'compromised' machines on your network.
That's a bold statement (Score:3, Interesting)
(http://fak3r.com/)
Anyone want to discuss how DNS Cache [cr.yp.to] addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?
Disable recursion in BIND (Score:5, Informative)
recursion no;
Problem solved.
overwhelming floods of amplified data (Score:2, Informative)
Suggestion:
-Verify requests
-Verify directory computers have not been comprimised
-Disallow amplified data
-Build a new secure system for handling traffic
There is a defense (Score:3, Funny)
/.ers will know that only the mighty foot of Chuck Norris [chucknorrisfacts.com] is powerful enough to kick back such a massive DDoS attack. There is a problem though: since there is only 1 of him, Chuck can't defend more than one site at a time. And ofcourse his ourly rates are a bit steep, too.
Vary your mileage may.Split-split DNS Design (Score:5, Informative)
ADVERTISER
RESOLVER
INTERNAL
The advertiser sits outside, Internet-facing, and is only responsible for resolving outside queries for your own domains. It does not do recursion or dynamic updates, and has a secured cache.
The resolver and internal sit inside, are intranet-facing, and handle internal requests for outside domains, and internal requests for internal domains respectively.
There are lots of articles on-line which show how to set this up.
Recursion considered harmful (Score:4, Funny)
In other news... (Score:1, Redundant)
When BIND is fixed I'll implement it (Score:2, Interesting)
(http://www.whiteboxlinux.org/)
Some of us don't like the idea of maintaining more servers than are absolutely required, this looks like a pretty bogus reason to install another set of nameservers.
Of course there is... (Score:5, Informative)
(http://rhadmin.org/)
Back in the bind 4 days, when I did serious DNS, my company wanted a few servers visible in their domain(s) for external dns host resolution.
For people behind the firewall, they wanted a far more extensive list of hosts that were not to be seen for queries outside the firewall.
I did this by using scp to transfer the zone files from the external to the internal DNS server; the internal server would then "cat" the additional hosts to the zone and HUP the named.
AFAIK modern BIND uses "zones" so you can accomplish the above on one server, if you want. I've never used it, but I can see a number of situations where I'd need my above solution even with this feature.
What BIND needs is not a "recursion no;" option, but instead a "recursion eth0;" or "recursion 1.2.3.*;" so recursive queries must originate from a trusted network.
Remember also that not everyone in the world uses BIND - people with ActiveDirectory or NDS name servers might be screwed until a vendor patch.
Re:When BIND is fixed I'll implement it (Score:5, Informative)
(http://www.lepertheory.net/)
match-clients {
10.0.0.0/8;
};
recursion yes;
zone "example.com" {
yadda yadda yadda;
};
};
view "external" {
match-clients {
any;
};
recursion no;
zone "example.com" {
blah blah blah;
};
};
Re:When BIND is fixed I'll implement it (Score:4, Informative)
view "internal" {
match-clients { internals; guests; };
recursion yes;
zone "." {
type hint;
file "bootstrap/cache";
};
zone "example.com"{
type master;
file "example-int.com";
};
};
view "external" {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "example.com"{
type master;
file "example-ext.com";
allow-query { any; };
};
};
---------
I believe that should prevent bind from being too useful from the outside.
old new (Score:3, Informative)
1 question? (Score:2)
(http://web.mac.com/crackedbutter | Last Journal: Monday January 01 2007, @07:57PM)
slashdot DNS is OPEN! (Score:4, Informative)
FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 66.35.250.12 reports that it will do recursive lookups. [test]
Server 12.152.184.136 reports that it will do recursive lookups. [test]
Server 12.152.184.135 reports that it will do recursive lookups. [test]
See this page for info on closing open DNS servers.
History repeats itself (Score:1, Funny)
Digital Research cloned it and improved it in the late 1980s (early '90s?), making a program called DR-DOS that pundits called "a better DOS than DOS."
Flash forward to Yahoo News: [yahoo.com]
"Experts call the attack technique a 'distributed reflector denial of service,'" says the site.
So once again, DoS has been supplanted by DRDoS.
DDoS? "R", matey! (Score:3, Informative)
(http://www.demodulated.com/ | Last Journal: Thursday January 05 2006, @01:38PM)
http://hyppy.zapto.org/DRDoS-Spyrochaete.html [zapto.org]
TV Media (Score:2)
(http://klowner.com/)
StormPay: A recent example of this attack (Score:3, Interesting)
(http://www.datacenterknowledge.com/)
As previous posters have noted, these attacks have become more frequent in recent months, prompting an advisory from US-CERT (PDF) [us-cert.gov] in December. It's a hot topic on several security lists, and a special focus of SecuriTeam blogger Gadi Evron [securiteam.com].
Well duh! (Score:2)
(http://www.silverglass.org/)
It's taken them this long to notice this one? The cricket book discusses it, fer cryin' out loud, and had a good recommended solution: refuse recursive queries by default, then enable them only on those nameservers that'll be used by your client machines and only if the query comes from your local network. I thought everybody setting up a nameserver knew this one, BIND even comes with options specifically to make it easy to do.
Disable Recursion in old versions of BIND (Score:1)
options no-recursion
Another recommended configuration is
options no-recursion no-fetch-glue
NOTE:
If you turn off recursion on any DNS server make sure you don't list that server in any other computer's resolv.conf file.
Attacks reflected by authorative servers? (Score:1)
(http://www.vanginderachter.be/)
detailed technical paper on the subject (Score:1)
DNS Amplification Attacks - A Smokescreen? (Score:1)
(http://www.adns.net/)
Inclusive Namespace roots provide public resolvers for users whose ISPs are too stubborn or dumb to provide their users with choice. Customers of such ISPs can simply decide to use the public resolvers provided by the INS roots, like Public Root or ORSC.
Shutting off user choice by suggesting that ISPs block outbound 53/TCP, 53/UDP will take away that choice.
I'm sure that some ICANN synchophants will be happy about this and if I were the suspicious type, I'd say that this sudden "awareness" of a "severe security problem" that has been around for a long time may be planned by those who are becoming uncomfortable with the ever increasing number of people who are abandoning the ICANN root in favor of DNS Service Providers (DSPs) who provide a view of the entire internet and don't impose non-related policies (UDRP) on domain registrants.
What better way to kill the INS than by putting up a security straw man and scaring people, especially ISPs, into taking away DNS choices from internet citizens. I am especially suspicious about this after seeing who was quoted in the recent MSNBC piece about the so-called "new" security risk that has "just been discovered". His jihad against allowing internet citizens to have freedom to chose their DSP from among global choices is well known to all.
Watch out here - there may be more to this story than meets the eye...
Now if only.... (Score:1)
(http://jackshck.livejournal.com/ | Last Journal: Thursday August 10 2006, @04:15PM)
MOD REPLY TO PARENT UP (Score:3, Funny)
The real risk is perhaps The Final Virus [catb.org].
Re:I must resist (Score:5, Informative)
(http://www.intelligentblogger.com/ | Last Journal: Monday August 27, @11:47AM)
Re:I must resist (Score:3, Funny)
Re:Old NEws (Score:5, Informative)
Re:I must resist (Score:1)
Recursive would be something like what the acronym LAME stands for: "LAME Ain't an MP3 Encoder." [acronymfinder.com]
(Which, originally, it wasn't.)