Good Web Security News: Open DNS Resolvers Are Getting Closed
This has been a rough week in the security industry with big attacks and
compromises reported at companies from Facebook to Apple. We’re
therefore happy to end the week with some good news: the web’s open
resolvers, one of the sources of the biggest DDoS attacks, are getting
closed.
Sad State of Affairs
Last October, we wrote a blog post about DDoS amplification
attacks.
This type of attack makes up some of the largest DDoSs CloudFlare sees,
sometimes exceeding 100 gigabits per second (100Gbps). The attacks use
DNS resolvers that haven’t been properly secured in order to “amplify”
the resources of the attacker. An attacker can achieve more than a 50x
amplification, meaning that for every byte they are able to generate
themselves they can pummel a victim with 50 bytes of garbage data.
The problem stems from misconfigured DNS resolver software (e.g., BIND)
that is setup to respond to a query from any IP address. Since DNS
requests typically are sent over UDP, which, unlike TCP, does not
require a handshake, an attacker can spoof a victim’s IP address as the
source address in a packet and a misconfigured DNS resolver will happily
bombard the victim with responses.
Closing the Open Resolvers
While CloudFlare’s network is very good at absorbing even these large
attacks, the long term solution for the web is for providers to clean up
the open resolvers running on their networks. We wanted to help with
that so we engaged in a bit of name-and-shame at the end of the last
blog post, listing the networks with the largest number of open
resolvers. The good news is it worked: almost four months later our
tests show that the number of open resolvers across the Internet is down
more than 30%. The chart below shows the progress individual networks
have made in cleaning up the problem.
ASN | Network | 10/30/12 | 2/22/13 | % Change
——- | ————————————————————– | ————- | ———– | ————
21844 | THEPLANET-AS – ThePlanet.com Internet Services, In | 2925 | 2216 | -24%
3462 | HINET Data Communication Business Group | 2739 | 2213 | -19%
36351 | SOFTLAYER – SoftLayer Technologies Inc. | 1075 | 781 | -27%
9394 | CRNET CHINA RAILWAY Internet(CRNET) | 1052 | 774 | -26%
4713 | OCN NTT Communications Corporation | 1044 | 722 | -31%
45595 | PKTELECOM-AS-PK Pakistan Telecom Company Limited | 1030 | 716 | -30%
4134 | CHINANET-BACKBONE No.31,Jin-rong Street | 970 | 705 | -27%
33182 | DIMENOC – HostDime.com, Inc. | 940 | 638 | -32%
7018 | ATT-INTERNET4 – AT&T Services, Inc. | 934 | 624 | -33%
24940 | HETZNER-AS Hetzner Online AG RZ | 872 | 593 | -32%
26496 | AS-26496-GO-DADDY-COM-LLC – GoDaddy.com, LLC | 855 | 560 | -35%
20773 | HOSTEUROPE-AS Host Europe GmbH | 835 | 517 | -38%
16276 | OVH OVH Systems | 803 | 511 | -36%
13768 | PEER1 – Peer 1 Network Inc. | 707 | 421 | -40%
14383 | VCS-AS – Virtacore Systems Inc | 596 | 420 | -30%
32613 | IWEB-AS – iWeb Technologies Inc. | 585 | 367 | -37%
23352 | SERVERCENTRAL – Server Central Network | 577 | 350 | -39%
2514 | INFOSPHERE NTT PC Communications, Inc. | 561 | 341 | -39%
2519 | VECTANT VECTANT Ltd. | 531 | 326 | -39%
15003 | NOBIS-TECH – Nobis Technology Group, LLC | 521 | 322 | -38%
22773 | ASN-CXA-ALL-CCI-22773-RDC – Cox Communications Inc | 484 | 315 | -35%
6830 | LGI-UPC UPC Broadband Holding B.V. | 453 | 307 | -32%
12322 | PROXAD Free SAS | 449 | 299 | -33%
21788 | NOC – Network Operations Center Inc. | 442 | 295 | -33%
17506 | UCOM UCOM Corp. | 422 | 293 | -31%
6939 | HURRICANE – Hurricane Electric, Inc. | 414 | 284 | -31%
16265 | LEASEWEB LeaseWeb B.V. | 407 | 284 | -30%
3269 | ASN-IBSNAZ Telecom Italia S.p.a. | 402 | 281 | -30%
29550 | SIMPLYTRANSIT Simply Transit Ltd | 392 | 271 | -31%
19262 | VZGNI-TRANSIT – Verizon Online LLC | 390 | 262 | -33%
Kudos
A few other organizations deserve a special shout out for helping with
this effort. The great folks at Team Cymru have
been tracking open resolvers and other badness online since before
CloudFlare was even an idea. Their consistent efforts in this area have
been awesome and we’re in the process of partnering with them to help
get the word out.
In addition, SoftLayer has been especially vocal and active in
spearheading clean up efforts on its network. As they pointed out in a
great blog
post, because
of the size and nature of their network, it’s often difficult for them
to police the configuration of software their customers run. Even so,
they are actively reaching out to customers to educate them about the
dangers of running open resolvers on their networks.
We greatly appreciate country CERTs/CSIRTs and various Information
Sharing and Analysis Centers (ISACs) reaching out to us offering to get
in touch with some of the less responsive network providers.
Going forward, we are happy to provide the IP addresses running open
resolvers directly to any network provider that is interested in
cleaning up their networks. If you’re running a network on the list
above, please don’t hesitate to reach out to us and we’ll get you the
data you need to help with cleanup.
No comments yet.