Blog What we do Support Community
Login Sign up

Good Web Security News: Open DNS Resolvers Are Getting Closed

by Matthew Prince.

Good Web Security News: Open DNS Resolvers Are Getting
Closed

This has been a rough week in the security industry with big attacks and compromises reported at companies from Facebook to Apple. We're therefore happy to end the week with some good news: the web's open resolvers, one of the sources of the biggest DDoS attacks, are getting closed.

Sad State of Affairs

Last October, we wrote a blog post about DDoS amplification attacks. This type of attack makes up some of the largest DDoSs CloudFlare sees, sometimes exceeding 100 gigabits per second (100Gbps). The attacks use DNS resolvers that haven't been properly secured in order to "amplify" the resources of the attacker. An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data.

The problem stems from misconfigured DNS resolver software (e.g., BIND) that is setup to respond to a query from any IP address. Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses.

Closing the Open Resolvers

While CloudFlare's network is very good at absorbing even these large attacks, the long term solution for the web is for providers to clean up the open resolvers running on their networks. We wanted to help with that so we engaged in a bit of name-and-shame at the end of the last blog post, listing the networks with the largest number of open resolvers. The good news is it worked: almost four months later our tests show that the number of open resolvers across the Internet is down more than 30%. The chart below shows the progress individual networks have made in cleaning up the problem.

ASN

Network 10/30/12 2/22/13 % Change
21844 THEPLANET-AS - ThePlanet.com Internet Services, In 2925 2216 -24%
3462 HINET Data Communication Business Group 2739 2213 -19%
36351 SOFTLAYER - SoftLayer Technologies Inc. 1075 781 -27%
9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 774 -26%
4713 OCN NTT Communications Corporation 1044 722 -31%
45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 716 -30%
4134 CHINANET-BACKBONE No.31,Jin-rong Street 970 705 -27%
33182 DIMENOC - HostDime.com, Inc. 940 638 -32%
7018 ATT-INTERNET4 - AT&T Services, Inc. 934 624 -33%
24940 HETZNER-AS Hetzner Online AG RZ 872 593 -32%
26496 AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC 855 560 -35%
20773 HOSTEUROPE-AS Host Europe GmbH 835 517 -38%
16276 OVH OVH Systems 803 511 -36%
13768 PEER1 - Peer 1 Network Inc. 707 421 -40%
14383 VCS-AS - Virtacore Systems Inc 596 420 -30%
32613 IWEB-AS - iWeb Technologies Inc. 585 367 -37%
23352 SERVERCENTRAL - Server Central Network 577 350 -39%
2514 INFOSPHERE NTT PC Communications, Inc. 561 341 -39%
2519 VECTANT VECTANT Ltd. 531 326 -39%
15003 NOBIS-TECH - Nobis Technology Group, LLC 521 322 -38%
22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc 484 315 -35%
6830 LGI-UPC UPC Broadband Holding B.V. 453 307 -32%
12322 PROXAD Free SAS 449 299 -33%
21788 NOC - Network Operations Center Inc. 442 295 -33%
17506 UCOM UCOM Corp. 422 293 -31%
6939 HURRICANE - Hurricane Electric, Inc. 414 284 -31%
16265 LEASEWEB LeaseWeb B.V. 407 284 -30%
3269 ASN-IBSNAZ Telecom Italia S.p.a. 402 281 -30%
29550 SIMPLYTRANSIT Simply Transit Ltd 392 271 -31%
19262 VZGNI-TRANSIT - Verizon Online LLC 390 262 -33%

Kudos

A few other organizations deserve a special shout out for helping with this effort. The great folks at Team Cymru have been tracking open resolvers and other badness online since before CloudFlare was even an idea. Their consistent efforts in this area have been awesome and we're in the process of partnering with them to help get the word out.

In addition, SoftLayer has been especially vocal and active in spearheading clean up efforts on its network. As they pointed out in a great blog post, because of the size and nature of their network, it's often difficult for them to police the configuration of software their customers run. Even so, they are actively reaching out to customers to educate them about the dangers of running open resolvers on their networks.

We greatly appreciate country CERTs/CSIRTs and various Information Sharing and Analysis Centers (ISACs) reaching out to us offering to get in touch with some of the less responsive network providers.

Going forward, we are happy to provide the IP addresses running open resolvers directly to any network provider that is interested in cleaning up their networks. If you're running a network on the list above, please don't hesitate to reach out to us and we'll get you the data you need to help with cleanup.

comments powered by Disqus