How To Avoid Becoming The Villain

DDoS Attack

Computing history has shown us that if you are running servers you are responsible for your own infrastructure and in some cases, also responsible towards those using the Internet. Malicious attacks illegally exploiting poorly configured servers were common practice until a few years ago.

Poorly secured FTP servers were often hijacked and copyrighted software was shared without the owner’s permission. Misconfigured SMTP servers allowed relays for everyone and were used to send out huge volumes of spam. Attackers even managed to find ways to use insecure scripts on web servers to send out spam.

This brings us back to the title of this piece. If you run an insecure service there is a good chance cybercriminals will find your server in one of their numerous Internet scans.

As these attacks became more and more popular, awareness increased. As awareness increased, admins made sure their servers were as secure as possible. At some point the attackers no longer found it worthwhile to look for and use insecure systems – they had become too few in number. This made them move to the next best thing at the time.

Fast forward to the present: News agencies recently reported on the struggle between spammers and Spamhaus. In a nutshell, Spamhaus blacklisted The Cyberbunker – a data centre that houses any server so long as it is not involved in child pornography or terrorism. Obviously, it is very popular with spammers. Spamhaus is a system designed to report IP addresses involved in the distribution of spam.

Several programs and servers will block any email from any server (unless white-listed) if the source IP address is blacklisted by services like Spamhaus. What happened is that a massive denial of service (DDoS) attack was launched against Spamhaus which, in turn, took counter-steps. However, the result was an intensified DDoS attack that experts claimed could have put the backbone infrastructure at risk.

What made this huge DDoS attack possible?

This large-scale DDoS attack was caused by a DNS amplification attack which requires a source DNS record of any domain (the larger the DNS record the better). Sometimes DNS servers are compromised so that large records are introduced thus having a great impact and effect.

Once a record is available, open DNS resolvers (DNS servers that allow queries by anyone) are told to retrieve that big record and will subsequently store it in their cache. At this point all the attacker needs to do is query these open DNS resolvers for all the records on the domain in question and spoof the request to appear it is coming from the intended victim. The DNS will then send all its records to the victim.

It is called a DNS amplification attack because although the query itself requires a small packet no larger than a few bytes, the packet sent to victims will be kilobytes in size. This means that, for example, a 100Mbit Internet connection, can launch a DDoS attack along the lines of about 20 Gbits – making it very efficient… in a bad way.

For this type of attack to occur, DNS servers have to be configured to serve any client. For it to be effective, (the ability to use large record sets) the DNS server must also be configured to allow recursive queries (recursive querying would allow clients to request DNS records not specifically residing on the DNS Server in question and thus making it retrieve any DNS record of any domain the person running the query desires).

This situation mirrors the story of open SMTP relays of the past. We have a server designed to be helpful by serving anyone who requires its use but at the same time it is being misused for illegal purposes. Back then, professionals recommended that open relays were closed, today they recommend closing Open DNS Servers to avoid similar large-scale DDoS attacks.

The Spamhaus DDoS attack had backbone routers experience up to 300Gbits of traffic at a single point. Most routers can only handle up to 100Gbits. The backbone routers of the Internet were severely overloaded in this attack. This leads to degrading performance between different segments of the Internet for as long as the attack persists and the traffic is not cleared up.

How bad is the situation and what can you do?

The open resolver project currently lists over 25 million open DNS servers. If you’re an administrator running an open DNS Server on purpose, for a legitimate reason, there are various things you can do to limit the risk that your server becomes part of the problem. If possible, try to remove recursive querying.

If recurring querying is required, your only option is to try and limit the amount of requests your DNS server is allowed to serve. Finding the right balance in order to avoid false positives can be tricky but is the only option to limit the potential abuse of your open DNS server. If no open DNS functionality is required to achieve your goal, this should be disabled immediately.

If you run an open DNS server check the configuration and close the server down as often as possible. The last thing you want to hear are news reports of another massive DDoS attack against some unfortunate victim and realise that your DNS server is one of many others used in the attack.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Emmanuel Carabott

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.