The curse of the open recursor
1 like12,666 views
This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.
The curse of the open recursor
- 1. Tom Paseka The curse of the Open Recursor Network Engineer tom@cloudflare.com
- 2. Recursors Why? • Exist to aggregate and cache queries • Not every computer run its own recursive resolver. • ISPs, Large Enterprises run these • Query through the root servers and DNS tree to resolve domains • Cache results • Deliver cached results to clients. www.cloudflare.com 2
- 3. Recursors The Problem! • Example of DNS Based reflection attack from a Peer in Hong Kong. www.cloudflare.com 3
- 4. Recursors Open / Unsecured Recursors ? • DNS server set up for recursion • ie. non-authoritative • Will answer for zones it is not authoritative for • Recursive lookups • Will answer queries for anyone • Some Public Services: Google, OpenDNS, Level 3, etc. • These are “special” set-ups and secured. www.cloudflare.com 4
- 5. Recursors Say Again? • There are hundreds of thousands of DNS Recursors. • Many of these are not secured. • Non secured DNS Recursors can and will be abused • CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. www.cloudflare.com 5
- 6. What is a Reflection Attack?
- 7. Reflection Attack • UDP Query • Spoofed source • Using the address of the person you want to attack • DNS Server used to attack the victim (sourced address) • Amplification used • Querying domains like ripe.net or isc.org • ~64 byte query (from attacker) • ~3233 byte reply (from unsecured DNS Server) • 50x amplification! • Running an unsecured DNS server helps attackers! www.cloudflare.com 7
- 8. Reflection Attack Attacker Attack Target ANY ANY ANY isc.org isc.org isc.org Large Large Large Large Large Large Reply Reply Reply Reply Reply Reply Unsecured DNS Unsecured DNS Recursors Recursors Large Large Large Reply Reply Reply Unsecured DNS www.cloudflare.com 8 Recursors
- 9. Reflection Attack • With 50x amplification: • 1Gbit uplink from attacker (eg: Dedicated Servers) • 50Gbit attack • Enough to bring most services offline! • Prevention is the best remedy. • In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. • At just 1Mbit each, that’s 80Gbit! • 1mbit of traffic may not be noticed by most operators. • 80Gbit at target is easily noticed! www.cloudflare.com 9
- 10. Where are they coming from?
- 11. Where are the open Recursors? • Nearly Everywhere! • CloudFlare has seen DNS Reflected attack traffic from: • 27 out of 56 Economies in APNIC Region • More attacks from higher populated economies. www.cloudflare.com 11
- 12. Where are the open Recursors? www.cloudflare.com 12
- 13. Where are the open Recursors? www.cloudflare.com 13
- 14. Where are the open Recursors? www.cloudflare.com 14
- 15. Where are the open Recursors? www.cloudflare.com 15
- 16. Where are the open Recursors? www.cloudflare.com 16
- 17. Where are the open Recursors? www.cloudflare.com 17
- 18. Where are the open Recursors? Open Open Country Country Recursors Recursors Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 www.cloudflare.com 18
- 19. Where are the open Recursors? Some Networks: Open Country ASN Network Name Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 www.cloudflare.com 19
- 20. Where are the open Recursors? • Where are they running? Mostly on Servers. ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router) www.cloudflare.com 20
- 21. How to fix this?
- 22. Fixing this? Preventative Measures! • BCP-38 • Source Filtering. • You shouldn’t be able to spoof addresses. • Needs to be done in hosting and ISP environments. • If the victim’s IP can’t be spoofed the attack will stop • Will also help stop other attack types • (eg: Spoofed Syn Flood). www.cloudflare.com 22
- 23. Fixing this? Preventative Measures! • DNS Server Maintenance • Secure the servers! • Lock down recursion to your own IP addresses • Disable recursion • If the servers only purpose is authoritative DNS, disable recursion • Turn them off! • Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. www.cloudflare.com 23
- 24. Fixing this? Consumer Internet Routers / Modems • Update firmware. • Some older firmware has security bugs • Allows administration from WAN (including DNS, SNMP) • Does the feature need to be on? • Make sure its set up properly www.cloudflare.com 24
- 25. Fixing this? Information • BCP-38: http://tools.ietf.org/html/bcp38 • BIND: http://www.team-cymru.org/Services/Resolvers/ instructions.html • Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx www.cloudflare.com 25
- 26. 26 Questions?
- 27. 27 Thank You