DDoS Attacks Via DNS Recursion 192
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
djbdns (Score:3, Informative)
Re:djbdns (Score:5, Informative)
Fixing bind9 (Score:5, Informative)
Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):
Re:Fixing bind9 (Score:2)
allow-recursion {
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/8;
127.0.0.0/8;
};
This way, those who mindlessly cut&paste will be less likely to shot themselves in the foot. And, since people are going to leave the old wide-open but working version if anything breaks, it's better to have it work out of the box.
Re:Fixing bind9 (Score:2)
It would be better to use:
allow-query { clients; };
allow-recursion { clients; };
acl clients {
192.168.1.0/24
}
and then in your zones
zone "example.com" {
type master;
allow-query { any; };
};
Re:djbdns (Score:2)
First, make an ACL that lists all the IP addresses for which you want to provide general DNS services. These are IP addresses you should trust... any of these can use your server as a DoS attacker.
acl internal { 127.0.0.0/8; 1.2.3.0/24; };
options {
Re:djbdns (Score:3, Informative)
You see, the chief difficulty is *exactly* the same as the open smtp relay problem. Back when everybody on the Internet knew each other, and abuse was resolved with a phone call, nobody understood that some services needed to be authorized, and some needed to be public. Thus, relaying and delivery SMTP servers were the same thing, and caching and authoritative DNS servers were the same thing
Re:djbdns (Score:4, Interesting)
Re:djbdns (Score:5, Funny)
Re:djbdns (Score:3, Insightful)
There was a server (named after a famous London landmark), which did DNS serving and also resolving, and was open to the whole internet (which, admittedly, wasn't too big). When customers moved away, they continued to use it for resolving. When the server was finally shut down in, errm, 1999 (wasn't the Y2k bug a marvellous excuse to get rid of services noone wanted to mai
Re:djbdns (Score:4, Informative)
It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch0
Re:djbdns (Score:2)
Separate authoritative and recursive (Score:4, Informative)
recursive, which is something that DJB has been preaching for a while.
Consequently djbdns won't do this, but it is quite possible to make bind not
do this also. (In fact Bind now has come round and reccomended this.)
It seems to me like a no-brainer, why is splitting the two such a problem?
SDNS wouldn't hurt either, but that will take a lot more doing.
Re:Separate authoritative and recursive (Score:3, Informative)
It isn't that hard, but it's perceived to be difficult. You have to set up your authoritative records on a separate IP address from your current DNS server (e.g. using tinydns). Then you tell your registrar that your nameserver has a different IP address. At that point, the only queries coming to your old IP address should be recursive queries coming from your users. Then you can close off recursive queries coming from the rest of the net (e.g. using dnscache).
The
Re:Separate authoritative and recursive (Score:2)
I don't think so.
Why don't you just add a "query { trusted-hosts; }" line to the global options, and a "query { any; }" line to your authoritative zones? It's not rocket science.
That's by Berenstain? (Score:3, Insightful)
Besides, who wants software written by a cartoon bear?
Why do you think you need a license? (Score:2)
Oh, and look at qmail-1.03.tar.gz#CREDITS -- my name is in there because of patches I've submitted to djb. Granted, he rewrote most of my code because his design was better than mine, but just because most patches 1) suck, 2) aren't necessary, 3) make the code worse, and 4) are badly design, doesn't mean that all are.
Re:Why do you think you need a license? (Score:2)
You got that ALMOST right. Let's correct it:
Why do you think you need a license? Copyright law doesn't impose ANY restrictions on what you do with something you've downloaded. It only stops you from making and distributing copies which are not in accordance with the Fair Use clause.
There. Much better. Methinks you work for the MPAA or RIAA.
Re:Why do you think you need a license? (Score:3, Insightful)
Re:Why do you think you need a license? (Score:2)
I hate to be pedantic about this, but I think you mean pedagogical purposes.
Re:Why do you think you need a license? (Score:2)
As I'm sure you know Rick Moen [linuxmafia.com] has an informative text on this. IMO you'd have to be insane not to have a license on software you are using for SMTP/DNS (Ie. speaking directly with the outside world).
But, hey, you're free to be insane. Just don't act surprised when people don't want to join you for a glass of kool-aid.
Re:Why do you think you need a license? (Score:2)
True, but it is djb who is making the copy, not you. Every copy he gives you is a legally independent copy, which you are free to do whatever you want with, including give it away to someone else.
You cannot make two copies without explicit permission (ie, a license) from the copyright holder.
So? If you download a copy A of djb's software, and then legally copy it to make A', and you want another copy B, just go download it. djb is happy to give you as many separate copies o
Re:That's by Berenstain? (Score:3, Informative)
Re:That's by Berenstain? (Score:2)
Believe it or not that why I moved from qmail to postfix. I wanted to patch our version of qmail to add a feature but I could not recreate our current binary because I had no idea which set of patches were applied to it. It seemed easier to install posfix and configure that (and it was!).
Re:That's by Berenstain? (Score:2)
Re:That's by Berenstain? (Score:2)
Wrong wrong wrong (Score:3, Informative)
No way is DJB software public domain.
In fact, I bet a dollar you don't even know what public domain is.
Right right right (Score:2)
Re:Wrong wrong wrong (Score:2)
Yeah, such a restrictive license killed the pine mail reader years ago.
Re:Wrong wrong wrong (Score:2)
Qmail is great in many ways and I've been running it for years, but to make it acceptable in today's spam & virus-filled world requires an ever growing amount of patches. Some of which won't work together any more.
As a result I switched to Postfix on many of my instal
Re:That's by Berenstain? (Score:2)
Post Anonymously because:
o Posting something stupid
o Posting something illegal
o Posting something embarrassing
o Posting something shameful
I think you would have selected the last one.
Re:djbdns (Score:2)
Though if you're setting up a DNS server, you should have a fair amount of expertise on how those abuses can arise and limit the possibility.
By default it's also useless. (Score:2)
That's why I have all my systems configured by CHUCK NORRIS.
No, just kidding. Anyway, no DNS system works without configuration, and a properly configured system is immune to this problem regardless of whether you run Vixie's code or Bernstein's.
Re:I love djbdns (Score:2)
Re:I love djbdns (Score:2)
Re:I love djbdns (Score:3, Interesting)
djbwm - it's the best window manager in the world, but when you try to move a window, it argues with you for ten minutes that it was already in the right place.
Re:I love djbdns (Score:2)
Re:djbdns (Score:3, Interesting)
Re:djbdns (Score:2)
Re:djbdns (Score:2)
Most people I know of that won't use his code cite things like his personality, which they generally only know by reputation. Personally, I don't give a toss about how difficult a person the developer of my software is, I just want to use good software. It's not like I'm going to be taking the guy out to dinner any time soon.
Re:djbdns (Score:2)
See here [cr.yp.to]
Re:djbdns (Score:2)
Thus, BIND9 (which
Doctor, it hurts when I go like this (Score:3, Insightful)
OK, don't do that then.
Re:Doctor, it hurts when I go like this (Score:2)
"Don't do that, then" is not helpful advice to the people who are suffering from this attack.
Re:Doctor, it hurts when I go like this (Score:2)
Recursion == recursion == recursion == ... (Score:3, Funny)
See recursion [catb.org]. See also tail recursion [catb.org].
From the Jargon File [catb.org].
Could someone explain how the attack works? (Score:2, Interesting)
From what I understand of DNS resolvers, this attack can't work unless there's another compromise at play here. Either a compromise of one of the victim host's zones, or a compromise of the servers hosting the open resolvers themselves.
Re:Could someone explain how the attack works? (Score:5, Informative)
Re:Could someone explain how the attack works? (Score:2, Insightful)
Re:Could someone explain how the attack works? (Score:2)
Re:Could someone explain how the attack works? (Score:5, Informative)
Another problem:
(Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.
So with a dialup account, it would be possible to saturate a T1.
There's plenty of ways for them to mess with you without any 'compromised' machines on your network.
Re:Could someone explain how the attack works? (Score:2)
Then you don't understand DNS resolvers. Did you bother reading the linked site? All you need to do is query an open resolver with some domain you set up (ex my.span.com), then change the authoritiative DNS of your registered domain as the target open DNS resolver. Now whenever someone anywhere in the world queries for my.spam.com, it hits your DNS server (until their local server caches it). It looks like you are hosting the spammer.
No, the problem was that I did read the article and was utterly confuse
Re: (Score:2)
Re:Could someone explain how the attack works? (Score:2)
Example:
A? example.com
example.com CNAME
A?
Re:Could someone explain how the attack works? (Score:2)
Agreed! I think this problem is one we're just going to have to live with for now unless we start requiring all DNS queries to have a 3 way handshake. You could actually hack a 3 way handshake into the existing protocol pretty easily without changing the protocol or the client library implementation whatsoever. However, you'd be doubling or more the load on your DNS server.
Example:
A? example.com
example.com CNAME [cookie]._a.example.com (this response is generated)
A? [cookie]._a
Re:Could someone explain how the attack works? (Score:2)
Re:Could someone explain how the attack works? (Score:2)
"hosting spam" isn't a DDos. It was just a
That's a bold statement (Score:3, Interesting)
Anyone want to discuss how DNS Cache [cr.yp.to] addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?
Re:That's a bold statement (Score:2)
The authoritative server tinydns does not cache at all, and so it is useless for this attack.
Disable recursion in BIND (Score:5, Informative)
recursion no;
Problem solved.
Re:Disable recursion in BIND (Score:2)
options {
allow-recursion { 127.0.0.1/32; };
};
That allows my server to use the local copy of bind for recursive queries, but limits everyone else to queries for which my server is authoritative. Bandwidth usage went from practically off the chart to low enough not to cost me extra for bandwidth immediately, and soon the attacker stopped trying to abuse
Re:Disable recursion in BIND (Score:3, Informative)
Depending on the DNS server, turning off recursion completely is not the answer. Granted most internet-facing DNS servers can simply turn recursion off without negatively impacting lookups (generally) but doing so for an internal system (or one that bridges an internal and external) is begging for trouble.
According to Chapter 2.2.6.2 of Pro DNS and BIND ( http://www.zytrax.com/books/dns/ch2/index.html#re cursive) [zytrax.com])
Re:Disable recursion in BIND (Score:2)
Hey, great man! Tha Host slashdot.org not found: 3(NXDOMAIN)
Re:Disable recursion in BIND (Score:2)
What kind of network are you running?
If you have internet-based customers that get services from you that require DNS, you better turn on recursion or those will be some pissed off customers.
overwhelming floods of amplified data (Score:2, Informative)
Suggestion:
-Verify requests
-Verify directory computers have not been comprimised
-Disallow amplified data
-Build a new secure system for handling traffic
There is a defense (Score:3, Funny)
/.ers will know that only the mighty foot of Chuck Norris [chucknorrisfacts.com] is powerful enough to kick back such a massive DDoS attack. There is a problem though: since there is only 1 of him, Chuck can't defend more than one site at a time. And ofcourse his ourly rates are a bit steep, too.
Vary your mileage may.Split-split DNS Design (Score:5, Informative)
ADVERTISER
RESOLVER
INTERNAL
The advertiser sits outside, Internet-facing, and is only responsible for resolving outside queries for your own domains. It does not do recursion or dynamic updates, and has a secured cache.
The resolver and internal sit inside, are intranet-facing, and handle internal requests for outside domains, and internal requests for internal domains respectively.
There are lots of articles on-line which show how to set this up.
Re:Split-split DNS Design (Score:2)
You simply need to set listen statements in the named.conf's so that the ADVERTISER listens on an externally reachable address and the RESOLVER issues queries on an externally reachable address while listening on an address that can be reached only from the inside.
Depending on your topology and security constraints
Re:Split-split DNS Design (Score:2)
You need the same number for your ADVERTISERs as normal. No change there.
You can use martian addresses for the listen address of the rest and the ADVERTISERs address with a high port (non-53) as query source for the RESOLVERs (so that you do not churn a lot of NAT entries for them).
So there is no public address wastage here.
Recursion considered harmful (Score:4, Funny)
When BIND is fixed I'll implement it (Score:2, Interesting)
Some of us don't like the idea of maintaining more servers than are absolutely required, this looks like a pretty bogus reason to install another set of nameservers.
Hasn't BIND implemented it already? (Score:2)
Of course there is... (Score:5, Informative)
Back in the bind 4 days, when I did serious DNS, my company wanted a few servers visible in their domain(s) for external dns host resolution.
For people behind the firewall, they wanted a far more extensive list of hosts that were not to be seen for queries outside the firewall.
I did this by using scp to transfer the zone files from the external to the internal DNS server; the internal server would then "cat" the additional hosts to the zone and HUP the named.
AFAIK modern BIND uses "zones" so you can accomplish the above on one server, if you want. I've never used it, but I can see a number of situations where I'd need my above solution even with this feature.
What BIND needs is not a "recursion no;" option, but instead a "recursion eth0;" or "recursion 1.2.3.*;" so recursive queries must originate from a trusted network.
Remember also that not everyone in the world uses BIND - people with ActiveDirectory or NDS name servers might be screwed until a vendor patch.
Re:Of course there is... (Score:3, Informative)
Re:Of course there is... (Score:3, Interesting)
The problem is doing the cache for internal hosts (or an internal interface) and running zone authority for external (internet) users on one server. Apparently it's not possible using the built in configuration tool. There's probably a registry key which determines which interface will forward or not, around here: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Cu rrentVersion\DNS Server
It
Re:When BIND is fixed I'll implement it (Score:5, Informative)
match-clients {
10.0.0.0/8;
};
recursion yes;
zone "example.com" {
yadda yadda yadda;
};
};
view "external" {
match-clients {
any;
};
recursion no;
zone "example.com" {
blah blah blah;
};
};
Re:When BIND is fixed I'll implement it (Score:3, Informative)
allow-recursion { localhost; mygroup; 10.10.10.1; 10.2.3.0/24; };
This would allow the localhost, the machines on the mygroup ACL, one computer at 10.10.10.1 and all the hosts in 10.2.3.0/24 access to recursive queries.
If you don't need to provide recursive lookups at all, you can just use this:
recursion no;
Re:When BIND is fixed I'll implement it (Score:2)
Re:When BIND is fixed I'll implement it (Score:4, Informative)
view "internal" {
match-clients { internals; guests; };
recursion yes;
zone "." {
type hint;
file "bootstrap/cache";
};
zone "example.com"{
type master;
file "example-int.com";
};
};
view "external" {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "example.com"{
type master;
file "example-ext.com";
allow-query { any; };
};
};
---------
I believe that should prevent bind from being too useful from the outside.
Re:When BIND is fixed I'll implement it (Score:3, Interesting)
> turn it off ("additional-from-cache"):
Excellent. The commentary on the aite with the original article didn't seem to know about that trick. So now I just need to make sure I have wrapped my head around all of the details and start making the changes. Going to be a bit of bother this way but managable. Installing another pair of nameservers was right out, this way is doable.
old new (Score:3, Informative)
Re:old new (Score:3, Informative)
From outside your network, send a request for a DNS record to your server: a.example.com Your server will try to l
1 question? (Score:2)
slashdot DNS is OPEN! (Score:4, Informative)
FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 66.35.250.12 reports that it will do recursive lookups. [test]
Server 12.152.184.136 reports that it will do recursive lookups. [test]
Server 12.152.184.135 reports that it will do recursive lookups. [test]
See this page for info on closing open DNS servers.
Re:slashdot DNS is OPEN! (Score:2)
OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).
Re:slashdot DNS is OPEN! (Score:3, Funny)
Or maybe they read the actual article before posting it?
Sorry, just my little joke.
DDoS? "R", matey! (Score:3, Informative)
http://hyppy.zapto.org/DRDoS-Spyrochaete.html [zapto.org]
TV Media (Score:2)
StormPay: A recent example of this attack (Score:3, Interesting)
As previous posters have noted, these attacks have become more frequent in recent months, prompting an advisory from US-CERT (PDF) [us-cert.gov] in December. It's a hot topic on several security lists, and a special focus of SecuriTeam blogger Gadi Evron [securiteam.com].
Well duh! (Score:2)
It's taken them this long to notice this one? The cricket book discusses it, fer cryin' out loud, and had a good recommended solution: refuse recursive queries by default, then enable them only on those nameservers that'll be used by your client machines and only if the query comes from your local network. I thought everybody setting up a nameserver knew this one, BIND even comes with options specifically to make it easy to do.
MOD REPLY TO PARENT UP (Score:3, Funny)
The real risk is perhaps The Final Virus [catb.org].
Re:I must resist (Score:5, Informative)
Re:I must resist (Score:2)
Re:I must resist (Score:2)
Re:I must resist (Score:3, Funny)
Re:I must resist (Score:3, Funny)
~S
Re:I must resist (Score:3, Informative)
Re:I must resist (Score:2)
stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to
Re:Old NEws (Score:5, Informative)
Re:Disable Recursion in old versions of BIND (Score:2)