DDoS Attacks Via DNS Recursion 192
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
djbdns (Score:3, Informative)
Re:djbdns (Score:5, Informative)
Separate authoritative and recursive (Score:4, Informative)
recursive, which is something that DJB has been preaching for a while.
Consequently djbdns won't do this, but it is quite possible to make bind not
do this also. (In fact Bind now has come round and reccomended this.)
It seems to me like a no-brainer, why is splitting the two such a problem?
SDNS wouldn't hurt either, but that will take a lot more doing.
Disable recursion in BIND (Score:5, Informative)
recursion no;
Problem solved.
overwhelming floods of amplified data (Score:2, Informative)
Suggestion:
-Verify requests
-Verify directory computers have not been comprimised
-Disallow amplified data
-Build a new secure system for handling traffic
Re:I must resist (Score:5, Informative)
Re:Could someone explain how the attack works? (Score:5, Informative)
Re:Could someone explain how the attack works? (Score:5, Informative)
Another problem:
(Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.
So with a dialup account, it would be possible to saturate a T1.
There's plenty of ways for them to mess with you without any 'compromised' machines on your network.
Re:Separate authoritative and recursive (Score:3, Informative)
It isn't that hard, but it's perceived to be difficult. You have to set up your authoritative records on a separate IP address from your current DNS server (e.g. using tinydns). Then you tell your registrar that your nameserver has a different IP address. At that point, the only queries coming to your old IP address should be recursive queries coming from your users. Then you can close off recursive queries coming from the rest of the net (e.g. using dnscache).
Then you have to make your secondarying work, which may be easy, or merely annoying depending on your setup.
Re:That's by Berenstain? (Score:3, Informative)
Wrong wrong wrong (Score:3, Informative)
No way is DJB software public domain.
In fact, I bet a dollar you don't even know what public domain is.
Re:Old NEws (Score:5, Informative)
Re:djbdns (Score:3, Informative)
You see, the chief difficulty is *exactly* the same as the open smtp relay problem. Back when everybody on the Internet knew each other, and abuse was resolved with a phone call, nobody understood that some services needed to be authorized, and some needed to be public. Thus, relaying and delivery SMTP servers were the same thing, and caching and authoritative DNS servers were the same thing. The big challenge with this issue is not reconfiguring BIND 9 to not recurse. The big challenge is to split your caching from your authoritative DNS servers.
Re:djbdns (Score:1, Informative)
Really?
Why, then, does the OpenBSD team use a hardened version of BIND whilst DJBDNS remains a bit player?
Split-split DNS Design (Score:5, Informative)
ADVERTISER
RESOLVER
INTERNAL
The advertiser sits outside, Internet-facing, and is only responsible for resolving outside queries for your own domains. It does not do recursion or dynamic updates, and has a secured cache.
The resolver and internal sit inside, are intranet-facing, and handle internal requests for outside domains, and internal requests for internal domains respectively.
There are lots of articles on-line which show how to set this up.
Re:I must resist (Score:3, Informative)
Fixing bind9 (Score:5, Informative)
Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):
Re:Could someone explain how the attack works? (Score:1, Informative)
old new (Score:3, Informative)
slashdot DNS is OPEN! (Score:4, Informative)
FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 66.35.250.12 reports that it will do recursive lookups. [test]
Server 12.152.184.136 reports that it will do recursive lookups. [test]
Server 12.152.184.135 reports that it will do recursive lookups. [test]
See this page for info on closing open DNS servers.
Of course there is... (Score:5, Informative)
Back in the bind 4 days, when I did serious DNS, my company wanted a few servers visible in their domain(s) for external dns host resolution.
For people behind the firewall, they wanted a far more extensive list of hosts that were not to be seen for queries outside the firewall.
I did this by using scp to transfer the zone files from the external to the internal DNS server; the internal server would then "cat" the additional hosts to the zone and HUP the named.
AFAIK modern BIND uses "zones" so you can accomplish the above on one server, if you want. I've never used it, but I can see a number of situations where I'd need my above solution even with this feature.
What BIND needs is not a "recursion no;" option, but instead a "recursion eth0;" or "recursion 1.2.3.*;" so recursive queries must originate from a trusted network.
Remember also that not everyone in the world uses BIND - people with ActiveDirectory or NDS name servers might be screwed until a vendor patch.
Re:When BIND is fixed I'll implement it (Score:5, Informative)
match-clients {
10.0.0.0/8;
};
recursion yes;
zone "example.com" {
yadda yadda yadda;
};
};
view "external" {
match-clients {
any;
};
recursion no;
zone "example.com" {
blah blah blah;
};
};
DDoS? "R", matey! (Score:3, Informative)
http://hyppy.zapto.org/DRDoS-Spyrochaete.html [zapto.org]
Re:When BIND is fixed I'll implement it (Score:3, Informative)
allow-recursion { localhost; mygroup; 10.10.10.1; 10.2.3.0/24; };
This would allow the localhost, the machines on the mygroup ACL, one computer at 10.10.10.1 and all the hosts in 10.2.3.0/24 access to recursive queries.
If you don't need to provide recursive lookups at all, you can just use this:
recursion no;
Re:Split-split DNS Design (Score:1, Informative)
Exactly -- a split DNS setup is quite easy to implement, and is an elegant solution
There are lots of articles on-line which show how to set this up.You might want to check http://www.castalie.org/Linux/DNS.html [castalie.org] for an example implying BIND as an internal resolver and NSD as an authoritative-only advertiser,
Re:Of course there is... (Score:3, Informative)
Re:When BIND is fixed I'll implement it (Score:4, Informative)
view "internal" {
match-clients { internals; guests; };
recursion yes;
zone "." {
type hint;
file "bootstrap/cache";
};
zone "example.com"{
type master;
file "example-int.com";
};
};
view "external" {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "example.com"{
type master;
file "example-ext.com";
allow-query { any; };
};
};
---------
I believe that should prevent bind from being too useful from the outside.
Re:Disable recursion in BIND (Score:3, Informative)
Depending on the DNS server, turning off recursion completely is not the answer. Granted most internet-facing DNS servers can simply turn recursion off without negatively impacting lookups (generally) but doing so for an internal system (or one that bridges an internal and external) is begging for trouble.
According to Chapter 2.2.6.2 of Pro DNS and BIND (http://www.zytrax.com/books/dns/ch2/index.html#re cursive) [zytrax.com])
A better solution would be to use allow-recursion [zytrax.com] to specify which clients will receive recursive DNS responses.
Re:old new (Score:3, Informative)
From outside your network, send a request for a DNS record to your server: a.example.com Your server will try to look up a.example.com from example.com's name servers. It will send an answer to the source IP in the UDP packet.
Now send another request for b.example.com and forge the source IP. Your server will try to look it up and send the answer back to the fake IP.
Now send millions of packets looking up [randomnumber].example.com, each with a unique source IP. Your server will essentially flood the name servers for example.com with requests for zones that do not exist and scatter the answers to the far corners of the internet where the UDP packets are simply discarded.
Now combine your recursion set up with a few others and watch example.com drop from the face of the planet.
That is what I found when I took over the servers from the other company. They had a high capacity system with loads and loads of bandwidth (phone company). Their machines could knock out a small name server without sweating. Combined with other networks, they could knock out much larger installations.
The attack is simple to perform and simple to avoid.
Re:djbdns (Score:4, Informative)
It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch0