[Infowarrior] - DNS Problem Linked to DDoS Attacks Gets Worse

Richard Forno rforno at infowarrior.org
Sat Nov 14 05:06:07 UTC 2009 

DNS Problem Linked to DDoS Attacks Gets Worse
By Robert McMillan, IDG News Service - Fri Nov 13, 2009 4:20PM EST

http://tech.yahoo.com/news/pcworld/20091113/tc_pcworld/dnsproblemlinkedtoddosattacksgetsworse

Internet security experts say that misconfigured DSL and cable modems  
are worsening a well-known problem with the Internet's DNS (domain  
name system), making it easier for hackers to launch distributed  
denial-of-service (DDoS) attacks against their victims.
According to research set to be released in the next few days, part of  
the problem is blamed on the growing number of consumer devices on the  
Internet that are configured to accept DNS queries from anywhere, what  
networking experts call an "open recursive" or "open resolver" system.  
As more consumers demand broadband Internet, service providers are  
rolling out modems configured this way to their customers said Cricket  
Liu, vice president of architecture with Infoblox, the DNS appliance  
company that sponsored the research. "The two leading culprits we  
found were Telefonica and France Telecom," he said.

In fact, the percentage of DNS systems on the Internet that are  
configured this way has jumped from around 50 percent in 2007, to  
nearly 80 percent this year, according to Liu.

Though he hasn't seen the Infoblox data, Georgia Tech Researcher David  
Dagon agreed that open recursive systems are on the rise, in part  
because of "the increase in home network appliances that allow  
multiple computers on the Internet."

"Almost all ISPs distribute a home DSL/cable device," he said in an e- 
mail interview. "Many of the devices have built-in DNS servers. These  
can sometimes ship in 'open by default' states."

Because modems configured as open recursive servers will answer DNS  
queries from anyone on the Internet, they can be used in what's known  
as a DNS amplification attack.

In this attack, hackers send spoofed DNS query messages to the  
recursive server, tricking it into replying to a victim's computer. If  
the bad guys know what they're doing, they can send a small 50 byte  
message to a system that will respond by sending the victim as much as  
4 kilobytes of data. By barraging several DNS servers with these  
spoofed queries, attackers can overwhelm their victims and effectively  
knock them offline.

DNS experts have known about the open recursive configuration problem  
for years, so it's surprising that the numbers are jumping up.

However, according to Dagon, a more important issue is the fact that  
many of these devices do not include patches for a widely publicized  
DNS flaw discovered by researcher Dan Kaminsky last year. That flaw  
could be used to trick the owners of these devices into using Internet  
servers controlled by hackers without ever realizing that they've been  
duped.

Infoblox estimates that 10 percent of the open recursive servers on  
the Internet have not been patched.

The Infoblox survey was conducted by The Measurement Factory, which  
gets its data by scanning about 5 percent of the IP addresses on the  
Internet. The data will be posted here in the next few days.

According to Measurement Factory President Duane Wessels, DNS  
amplification attacks do occur, but they're not the most common form  
of DDoS attack. "Those of us that track these and are aware of it tend  
to be a little bit surprised that we don't see more attacks that use  
open resolvers," he said. "It's kind of a puzzle."

Wessels believes that the move toward the next-generation IPv6  
standard may be inadvertently contributing to the problem. Some of the  
modems are configured to use DNS server software called Trick or Tread  
Daemon (TOTd) -- which converts addresses between IPv4 and IPv6  
formats. Often this software is configured as an open resolver,  
Wessels said.

More information about the Infowarrior mailing list