The curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com

Similar documents

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

How to launch and defend against a DDoS

Goal 2: Achieve Universal Primary Education

Senate Committee: Education and Employment. QUESTION ON NOTICE Budget Estimates

DIGITAL, SOCIAL, AND MOBILE IN APAC 2015 WE ARE SOCIAL & IAB SINGAPORE S COMPENDIUM OF ASIA-PACIFIC DIGITAL STATISTICS.

Reverse DNS Delegations

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Your Access to a World of Global Connectivity.

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

ICT Development Index (IDI)

Global Student Mobility 2025 Forecasts of the Global Demand for Pathways to Higher Education in the Schools, VET and ELICOS sectors

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

PARTICIPATION IN SEACEN TRAINING PROGRAMS

ASIA AND PACIFIC VEHICLE STANDARDS & FLEETS

BUSINESS INTELLIGENCE & TARGET MARKETING. Copyright CNCData. All Rights Reserved.

BIOMETRIC RESIDENCE PERMIT (BRP) OVERSEAS APPLICANT PROJECT FAQ

Network and Incident monitoring

The J. N. Tata Endowment Scholarships for Indian Students in Abroad

Harness Your Internet Activity!

UNITED NATIONS Economic and Social Commission for Asia and the Pacific 53 member States 9 associate members

Internet infrastructure development in the Asia Pacific: What s needed for sustainable growth

The Collateral Damage of Internet Censorship by DNS Injection

GLOBAL PAYMENTS AND CASH MANAGEMENT. HSBCnet Application Guide August 2006

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

This is a licensed product of Ken Research and should not be copied

Overview of Asian Insurance Markets

GLOBAL PAYMENTS AND CASH MANAGEMENT. Solutions For Asia-Pacific

Bangladesh Visa fees for foreign nationals

My Services Online Service Support. User Guide for DNS and NTP services

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Loan Information and Application Guide

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Proxy & Firewall Target Server List to Permit Communication

Loan Information and Application Guide

DNS amplification attacks

Link-OS Printer Operating System Syslog AppNote October 5, 2014

DNS Server Operation & Configuration

Search Engine Optimization Case Study - Focus-suites.com

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

OS-HELP LOANS PROCEDURE

Asia INDONESIA TAIWAN RUSSIA KAZAKHASTAN MONGOLIA NORTH KOREA JAPAN UZBEKISTAN AZERBAIJAN TURKMENISTAN KYRGYZSTAN TAJIKISTAN CHINA GEORGIA SOUTH KOREA

UNIVERSITI SCIENCE MALAYSIA (USM) SPONSORED BY: UNIVERSITY SAINS MALAYSIA THE COLOMBO PLAN

Analysis of Asia Pacific Hosted Market

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

OS-HELP. Statement of terms and conditions

Mainstreaming Disaster Risk Reduction into National and Sectoral Development Process

Configuring DHCP for ShoreTel IP Phones

DNS Server Operation & Configuration

Joint General Assembly APLAC-PAC 2014 June 21-28, Guadalaja, Mexico

B. SERVICES TRADE: PROMISING GROWTH

OS-HELP information for

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Erasmus Mundus Action 2 / External Cooperation Window Participation of Finnish Higher Education Institutions Updated 21.7.

DDoS attacks in CESNET2

NetRiders Asia Pacific and Japan

To Be A Leader and A Premier Educational Hub in the Promotion of Afforable and Quality E-Learning in Asia

Use Domain Name System and IP Version 6

Cement and clinker trade flows in Asia

Application Guidelines

DOMAIN NAME SECURITY EXTENSIONS

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Cisco Connect Rewards Program

Global Dialing Comment. Telephone Type. AT&T Direct Number. Access Type. Dial-In Number. Country. Albania Toll-Free

MIT LINCOLN LABORATORY REPRESENTATIONS AND CERTIFICATIONS-COMMERCIAL (JUNE 2014)

disasters Natural Figure 29.1

World Muslim Population:

P R E S S R E L E A S E

DNS Best Practices. Mike Jager Network Startup Resource Center

INTERNET DOMAIN NAME SYSTEM

Voice Internet Phone Gateway

Internet Exchange Points. Philip Smith ISOC-AU Meeting APNIC 38 Brisbane September 16 th 2014

How To Protect A Dns Authority Server From A Flood Attack

To Be A Leader and A Premier Educational Hub in the Promotion of Afforable and Quality E-Learning in Asia

Student visa and temporary graduate visa programme trends

Application-layer protocols

Powerful Online Solutions HOSTING. Price List. Surge Media Pty Ltd MAINTENANCE & SUPPORT Price List 1

The Burden of Cancer in Asia

Thailand Tax Profile. Produced in conjunction with the KPMG Asia Pacific Tax Centre. Updated: November 2013

DNS: a statistical analysis of name server traffic at local network-to-internet connections

UnionPay, Your access to China & Asia. June 2015

Dow Jones Asia/Pacific Total Stock Market Indices

Consolidated International Banking Statistics in Japan

Transcription:

The curse of the Open Recursor Tom Paseka Network Engineer tom@cloudflare.com

Recursors Why? Exist to aggregate and cache queries Not every computer run its own recursive resolver. ISPs, Large Enterprises run these Query through the root servers and DNS tree to resolve domains Cache results Deliver cached results to clients. 2

Recursors The Problem! Example of DNS Based reflection attack from a Peer in Hong Kong. 3

Recursors Open / Unsecured Recursors? DNS server set up for recursion ie. non-authoritative Will answer for zones it is not authoritative for Recursive lookups Will answer queries for anyone Some Public Services: Google, OpenDNS, Level 3, etc. These are special set-ups and secured. 4

Recursors Say Again? There are hundreds of thousands of DNS Recursors. Many of these are not secured. Non secured DNS Recursors can and will be abused CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. 5

What is a Reflection Attack?

Reflection Attack UDP Query Spoofed source Using the address of the person you want to attack DNS Server used to attack the victim (sourced address) Amplification used Querying domains like ripe.net or isc.org ~64 byte query (from attacker) ~3233 byte reply (from unsecured DNS Server) 50x amplification! Running an unsecured DNS server helps attackers! 7

Reflection Attack Attacker ANY isc.org Attack Target Large Large Reply Large Reply Reply Unsecured DNS Recursors Large Large Reply Large Reply Reply Unsecured DNS Recursors Large Large Reply Large Reply Reply Unsecured DNS Recursors 8

Reflection Attack With 50x amplification: 1Gbit uplink from attacker (eg: Dedicated Servers) 50Gbit attack Enough to bring most services offline! Prevention is the best remedy. In recent attacks, we ve seen around 80,000 open/ unsecured DNS Resolvers being used. At just 1Mbit each, that s 80Gbit! 1mbit of traffic may not be noticed by most operators. 80Gbit at target is easily noticed! 9

Where are they coming from?

Where are the open Recursors? Nearly Everywhere! CloudFlare has seen DNS Reflected attack traffic from: 27 out of 56 Economies in APNIC Region More attacks from higher populated economies. 11

Where are the open Recursors? 12

Where are the open Recursors? 13

Where are the open Recursors? 14

Where are the open Recursors? 15

Where are the open Recursors? 16

Where are the open Recursors? 17

Where are the open Recursors? Country Open Recursors Country Open Recursors Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 18

Where are the open Recursors? Some Networks: Country ASN Network Name Open Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 19

Where are the open Recursors? Where are they running? Mostly on Servers. ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router) 20

How to fix this?

Fixing this? Preventative Measures! BCP-38 Source Filtering. You shouldn t be able to spoof addresses. Needs to be done in hosting and ISP environments. If the victim s IP can t be spoofed the attack will stop Will also help stop other attack types (eg: Spoofed Syn Flood). 22

Fixing this? Preventative Measures! DNS Server Maintenance Secure the servers! Lock down recursion to your own IP addresses Disable recursion If the servers only purpose is authoritative DNS, disable recursion Turn them off! Some Packages (eg, Plesk, cpanel) have included a recursive DNS server on by default. 23

Fixing this? Consumer Internet Routers / Modems Update firmware. Some older firmware has security bugs Allows administration from WAN (including DNS, SNMP) Does the feature need to be on? Make sure its set up properly 24

Fixing this? Information BCP-38: http://tools.ietf.org/html/bcp38 BIND: http://www.team-cymru.org/services/resolvers/ instructions.html Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx 25

Questions? 26

Thank You 27