DDoS Attacks Via DNS Recursion 192
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
Doctor, it hurts when I go like this (Score:3, Insightful)
OK, don't do that then.
That's by Berenstain? (Score:3, Insightful)
Besides, who wants software written by a cartoon bear?
Re:Why do you think you need a license? (Score:3, Insightful)
Re:Could someone explain how the attack works? (Score:2, Insightful)
Re:djbdns (Score:3, Insightful)
There was a server (named after a famous London landmark), which did DNS serving and also resolving, and was open to the whole internet (which, admittedly, wasn't too big). When customers moved away, they continued to use it for resolving. When the server was finally shut down in, errm, 1999 (wasn't the Y2k bug a marvellous excuse to get rid of services noone wanted to maintain anymore?!), we sniffed the network and there were still people using it. The network block was reallocated for other purposes, and even two+ years on there were still steady numbers of DNS resolving requests.
We also had separate resolvers and name servers, and we put up big announcements for months that name servers were going to lose recursion (because reloading the servers was taking longer and longer and people complained about slow resolving), and yet there were die-hards who held out until rebutted customer complaints made them fix things. We guessed these customers, basically, had had someone set things up, the person resigned/died/was fired/kidnapped by aliens from redmon/ and they had no clue how anything worked any more.
So, yes, changing the default behaviour of DNS servers to not resolve can cause problems.
Oh yeah, one final thing. When I started work at that ISP in the mid nineties, 20-25% of customers ran windows, the rest ran some form of unix; the windows users "ate" 80%+ of support. When I left three years later the windows users were 60-70% of customers, and the number of support staff grew to accomodate the cluelessness.