[LINK] Open recursive nameservers used for DoS attacks

Robin Whittle rw at firstpr.com.au
Fri May 15 15:05:55 EST 2009


Short version:  I had configured my nameserver to accept queries from
                any host on the Net, for domains other than my own.
                This meant it could be used as a DDoS amplifier.


I was puzzled be a repetitive series of outgoing packets from my
nameserver (bind 9 on CentOS 5.1, on my fixed IP-address
DSL-connected server at home).  They were long (~1492 byte),
text-based packets returning a reply to some IP address 72.20.26.1
which had (supposedly) requested it.

In fact, the request would have come from the attacker's machine, and
would have been sent with a spoofed source address - that of the
victim: 72.20.26.1

The request was for a TXT record in a Russian domain which does not
appear in Google.  My nameserver sent the reply, spanning several UDP
packets of lengths: 1492, 1492 and 1165 bytes, to the victim address.

The query packet to my nameserver was only 71 bytes, so this is about
a 58:1 amplification factor of the attacker's effort.   This was
happening every few seconds.


This form of Distributed Denial of Service (DDoS) attack is described in:

  Open Recursive Nameservers What’s the problem with that?
  Students:  P. van Abswoude, P. Tavenier
  Supervising teachers:  J.P. Velders, K. Koymans
  System and Network Engineering, University of Amsterdam
  Final Version February 5, 2007
  http://staff.science.uva.nl/~delaat/sne-2006-2007/p05/report.pdf

  http://tools.ietf.org/html/rfc5358

The solution was in section 5.2.1 of the above report - to configure
bind 9 to only accept recursive queries from machines on my LAN,
rather than from anywhere in the Net.  In the options section of my
named.conf file, I added:

  allow-recursion { 10.0.0.0/8; };

and all was well.

I have added this to my notes on configuring bind and other things:

  http://www.firstpr.com.au/web-mail/CentOS-misc-config/

  - Robin



More information about the Link mailing list