Reston, VA, April 2, 2013 – DNS Made Easy, the leading provider of anycast managed DNS hosting, has requested that all responsible members of the Internet community make a concerted effort to close down the open DNS recursive resolvers that are frequently used for packet amplification distributed denial of service (DDoS) attacks.
An open DNS resolver is a server that accepts Domain Name Service requests from clients outside of its administrative domain, meaning that any machine connected to the Internet can make a DNS request of these resolvers. The originating IP of the request can be spoofed so that responses are sent to the attack’s target rather than the originator of the request.
Open DNS resolvers are responsible for the bulk of the bandwidth produced in the recent headline-grabbing attack directed at the Spamhaus spam monitoring service, which created significant problems for its bandwidth providers and potentially caused slowdowns by impacting the throughput of major European hubs.
“We’re calling on all members of the Internet community to urgently act to reduce the number or fix the large number of open DNS resolvers,” affirmed Steven Job, President of DNS Made Easy, “The problems that open DNS resolvers are causing now outshine any purpose they might once have served.”
Open DNS resolvers have become an increasingly popular method of carrying out Distributed Denial of Service attacks. Often, such attacks employ botnets, but with the easy availability of open DNS resolvers, anyone with a minimal level of technical expertise can create an enormous flood of packets and direct it at their target, knocking sites offline and consuming a significant proportion of the bandwidth resources of Internet Service Providers.
“The fact that open DNS resolvers can be so easily exploited by anyone setting a few cloud instances and running a script that will cripple sites and degrade ISPs is an untenable situation,” said Job, “The Internet community needs to act to remove this menace as quickly as possible. In order to do this properly DNS and network administrators need to take three proactive steps. First we would like to see many of the open DNS resolvers shut down or closed as many are not intended to be open to the world. Secondary, rate response limiting (RRL) should be implemented where possible for appropriate name servers. Third, we would like to see ISPs and network administrators take a larger role in implementing BCP 38 network ingress filtering, which would help eliminate IP spoofing.”
DNS amplification attacks rely on the fact that DNS response packets can be much larger in size than the original request. For example, an initial request of 81 bytes may result in a response that is over 300 bytes, a quadrupling of bandwidth consumption. So for every bit the attacker has at their disposal they can create an attack of over 4 times the size by using the actual DNS response for the attack vector. Using DNSSEC for these attacks increases the amplification ratio near 20 times the size. In the recent attacks, the attackers appear to have been trying to use DNS amplification with DNSSEC for maximum bandwidth consumption and damage. Using open DNS resolvers an attacker with access to about 500 Mbps of bandwidth can flood their targets with over 10 Gbps, more than enough to crush most DDoS mitigation appliances.
The Spamhaus attacks claimed bandwidths of up to 300 Gbps. Last year DNS Made Easy has graphed statistics of an attack they successfully handled that was over 200 Gbps.
While the Internet as a whole is not put at risk by DDoS attacks because of its multiply redundant connections, they are capable of causing regional slowdowns, site service interruptions, and consuming the necessary capacity of bandwidth providers.
While methods exist to mitigate the effects of such attack, including anycast DNS hosting, DNS Made Easy believes that it is both more prudent and more efficient to tackle the root cause of the problem by closing down or fixing as many open recursive resolvers as possible and educating both those within the industry and the wider public about the negative consequences of running an open DNS server.
About DNS Made Easy
DNS Made Easy is a subsidiary of Tiggee LLC and is a leader in providing global IP anycast enterprise DNS services. DNS Made Easy implemented the industry’s first triple independent anycast cloud architecture for maximum DNS speed and DNS redundancy. Originally launched in 2002, DNS Made Easy’s services have grown to manage hundreds of thousands of customer domains receiving more than 6.0 billion queries per day. Today, DNS Made Easy builds on a proud history uptime and is the preferred DNS hosting choice of most major brands, especially amongst those comparing price and performance of enterprise IP anycast alternatives. For more information, or for a free trial of their DNS hosting services, visit http://social.dnsmadeeasy.com.