Open DNS resolvers allow cybercriminals to launch attacks of this magnitude

Sep 18, 2012 13:16 GMT  ·  By

On September 15, CloudFlare experienced an outage caused by issues with an upstream bandwidth provider and by a massive 65 Gbps distributed denial-of-service (DDOS) attack that most likely relied on DNS reflection to amplify its strength.

According to the company’s CEO Matthew Prince, it’s not easy for a company to defend its systems against such an attack, but it can be done.

Such reflection attacks rely on DNS servers that are also known as DNS resolvers. These resolvers are normally configured to answer requests only from ISPs.

However, since there are many misconfigured servers, cybercriminals can abuse them in their attacks.

“DNS queries are typically sent via the UDP protocol. UDP is a fire-and-forget protocol, meaning that there is no handshake to establish that where a packet says it is coming from actually is where it is coming from,” Prince explained.

“This means, if you're an attacker, you can forge the header of a UDP packet to say it is coming from a particular IP you want to attack and send that forged packet to an open DNS resolver. The DNS resolver will reply back with a response to the forged IP address with an answer to whatever question was asked.”

For instance, an attacker can request all the DNS records of a zone, the DNSSEC records or other large data sets. Since the resolvers have high bandwidth connections, they can easily “pump out” the “crippling amount of traffic.”

When this traffic is aimed towards one single place, the effects can be devastating.

So how can these massive attacks be stopped?

In theory, the best way would be to clean up open resolvers to ensure that they can’t be abused anymore. However, the process is slow and often without results, so the best way is to contact the owners of the resolver in question and ask them to block DNS requests originating from your company.

As Prince highlights, in some cases they may be the ones who contact the targeted company since to them it seems as if the victim were actually the one who was attacking them.

Other techniques that can successfully be utilized to stop such attacks imply a properly designed network architecture. CloudFlare claims to be using Anycast to distribute the impact of the attack across all the 23 data centers they have.

Furthermore, in each of their facilities they’ve implemented a number of additional security mechanisms.

“We know, for example, that we haven't sent any DNS inquiries out from our network. We can therefore safely filter the responses from DNS resolvers: dropping the response packets from the open resolvers at our routers or, in some cases, even upstream at one of our bandwidth providers,” Prince noted.