Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How we can get out of the DNS DDoS trap

David Holmes, technical marketing manager, F5 Networks | June 10, 2013
A new class of enormous DDoS attacks emerged March 26 with a DNS reflection attack by email spammer CyberBunker against anti-spam service Spamhaus. The reported traffic peak of 300Gbps was double the previous record.

Vendors need to make smarter DNS products. The current defensive techniques, such as ignoring the first lookup request, are crude and aren't solving the reflection problem. The new class of DNS servers must be aware of attacks and rate-limit their responses in pathological situations.

One idea whose time might have come is to detect attack conditions and then redirect incoming queries to use TCP for the duration of the attack. This may result in higher latency (due to TCP overhead) and mean some servers will need to be upgraded since many Internet DNS servers will suffer a significant performance penalty during TCP, but its effect should be temporary (just the duration of an attack).

But enterprises should also tighten their configurations to prevent the kind of amplification requests that caused the March 26 attack. Specifically, there is very little reason a server should respond with an entire zone dump except to specifically whitelisted addresses. Enterprises can also block the requests of the "any" record type, for which there aren't many common uses anyway.

One of the contributing factors that have helped mitigate email spam (itself a volumetric attack) was the existence of blacklisting services (such as a Spamhaus; there is irony here). Spamhaus monitored the Internet for open mail relays and advertised that intelligence as a service -- enterprises used the Spamhaus lists to automatically block spam. For DNS, there are severalfreeservices that monitor the millions open DNS relays on the Internet.

So far, the only method attempted to close the 25 million open resolvers is mild public shaming via these public lists. Clearly, though, showing up on this list isn't enough, and in fact, publishing the list is like handing out the addresses of a giant botnet to anyone who wants to use it! Since shame isn't working, perhaps the time has come for more extreme measures. Moving forward, if "good" DNS servers stop responding to the blacklisted open resolvers, this may force the indolent to clean up their acts, just as services such as Spamhaus have done for email.

The conflict between CyberBunker and Spamhaus may be over -- the individual attacker was recently arrested (after being shown to have launched his attack from his own high-tech van). However, unless the industry builds a smarter DNS infrastructure, the DDoS war with DNS reflection attacks may just be starting.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.