[LINK] Open recursive nameservers used for DoS attacks
Robin Whittle
rw at firstpr.com.au
Fri May 15 15:01:11 AEST 2009
Short version: I had configured my nameserver to accept queries from
any host on the Net, for domains other than my own.
This meant it could be used as a DDoS amplifier.
I was puzzled be a repetitive series of outgoing packets from my
nameserver (bind 9 on CentOS 5.1, on my fixed IP-address
DSL-connected server at home). They were long (~1492 byte),
text-based packets returning a reply to some IP address 72.20.26.1
which had (supposedly) requested it.
In fact, the request would have come from the attacker's machine, and
would have been sent with a spoofed source address - that of the
victim: 72.20.26.1
The request was for:
TXT? impactpoint.ru.
which, right now, does not appear in Google. My nameserver sent the
reply, spanning several UDP packets of lengths: 1492, 1492 and 1165
bytes, to the victim address.
The query packet to my nameserver was only 71 bytes, so this is about
a 58:1 amplification factor of the attacker's effort. This was
happening every few seconds.
This form of Distributed Denial of Service (DDoS) attack is described in:
Open Recursive Nameservers What’s the problem with that?
Students: P. van Abswoude, P. Tavenier
Supervising teachers: J.P. Velders, K. Koymans
System and Network Engineering, University of Amsterdam
Final Version February 5, 2007
http://staff.science.uva.nl/~delaat/sne-2006-2007/p05/report.pdf
http://tools.ietf.org/html/rfc5358
The solution was in section 5.2.1 of the above report - to configure
bind 9 to only accept recursive queries from machines on my LAN,
rather than from anywhere in the Net. In the options section of my
named.conf file, I added:
allow-recursion { 10.0.0.0/8; };
and all was well.
I have added this to my notes on configuring bind and other things:
http://www.firstpr.com.au/web-mail/CentOS-misc-config/
- Robin
More information about the Link
mailing list