<< Back to article Print this page Loading page, please wait...

Open DNS servers cause concern, invites attacks

Stephen Bell and Jaikumar Vijayan (Computerworld)
06 April, 2006 09:30

A new threat to the internet is multiplying through DNS servers that are more open than they should be, delegates to last month's ICANN's Wellington conference and New Zealand Network Operators Group (NZNOG) meeting heard.

Massive distributed denial of service (DDoS) attacks on top-level domain servers early this year used "recursive" DNS servers in combination with botnets of compromised computers and IP address spoofing. These choked the access channels to the internet's top-level domain servers, said ICANN security and stability advisory committee (SSAC) member Rodney Joffe, in a report delivered by colleague Dave Piscitello at the ICANN conference.

The servers themselves kept working, says Joffe, but the DNS fabric was seriously congested.

In an address at NZNOG late last month, SSAC chairman Steve Crocker discussed the same problem.

Machines on a botnet are induced to send large numbers of spoofed DNS requests to target servers, purporting to come from a particular address. The machine at that address then receives a huge volume of replies, and may collapse under the strain.

If a large text record is planted in advance in the target server (which may be under the perpetrator's control) and the requests are for that particular record, then the volume of traffic can be greatly multiplied, amounting to gigabytes in the case of the attacks of this year.

The problem is with having "open recursion" as a default option in the most popular DNS server software. This means the server will attempt to find any address it is asked for, not only within its own domain but over the whole of the internet, and it will do it for any source that asks.

The problem has similarities to the inadvertently open mail servers that used to allow spam to be relayed and the spammer's address concealed. This used to be much more of a problem than it is today, when most servers have been closed to relay traffic, but the DNS problem is potentially very serious, the NZNOG and ICANN speakers warned.

If a server has no real business answering requests outside its own domain and related domains, it should be limited to those, plus any much-used outside servers whose address translation it has cached, the speakers noted, and it should not be answering requests from outside its domain.

The ICANN meeting heard that the most popular server software, such as BIND, has now had the open recursive default setting altered, but obviously this will take time to spread through all BIND servers as they are updated. Then there are other vulnerable servers working under Windows, Linux and other operating systems that may remain open for some time.

Meanwhile, in the second attack of its kind in the past few days, DNS servers at Network Solutions were hit by a denial-of-service attack, resulting in a brief performance degradation for customers, according to the company.

The attacks targeted at the company's WorldNIC name servers and resulted in a service degradation for about 25 minutes before the server was restored to normal, a company spokeswoman says.

Also, late last month, Joker.com, a domain-name registrar in Germany, was hit with a similar DDoS that disrupted service to customers.

In an advisory posted on its site, Joker said that "massive" attacks against its DNS servers had affected the DNS resolution of Joker.com as well as domains belonging to its customers.

Beyond apologizing to customers, the company offered no other details on the attack except to say that it was "working hard" to find a permanent solution to the problem.

Network Solutions also declined to comment on how it was mitigating the attack.

In 2003, all 13 of the internet's root DNS servers were attacked, but little damage was done.