This has been a rough week in the security industry with big attacks and compromises reported at companies from Facebook to Apple. We're therefore happy to end the week with some good news: the web's open resolvers, one of the sources of the biggest DDoS attacks, are getting closed.
Sad State of Affairs
Last October, we wrote a blog post about DDoS amplification attacks. This type of attack makes up some of the largest DDoSs CloudFlare sees, sometimes exceeding 100 gigabits per second (100Gbps). The attacks use DNS resolvers that haven't been properly secured in order to "amplify" the resources of the attacker. An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data.
The problem stems from misconfigured DNS resolver software (e.g., BIND) that is setup to respond to a query from any IP address. Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses.
Closing the Open Resolvers
While CloudFlare's network is very good at absorbing even these large attacks, the long term solution for the web is for providers to clean up the open resolvers running on their networks. We wanted to help with that so we engaged in a bit of name-and-shame at the end of the last blog post, listing the networks with the largest number of open resolvers. The good news is it worked: almost four months later our tests show that the number of open resolvers across the Internet is down more than 30%. The chart below shows the progress individual networks have made in cleaning up the problem.
ASN
Network
10/30/12
2/22/13
% Change
21844
THEPLANET-AS - ThePlanet.com Internet Services, In
2925
2216
-24%
3462
HINET Data Communication Business Group
2739
2213
-19%
36351
SOFTLAYER - SoftLayer Technologies Inc.
1075
781
-27%
9394
CRNET CHINA RAILWAY Internet(CRNET)
1052
774
-26%
4713
OCN NTT Communications Corporation
1044
722
-31%
45595
PKTELECOM-AS-PK Pakistan Telecom Company Limited
1030
716
-30%
4134
CHINANET-BACKBONE No.31,Jin-rong Street
970
705
-27%
33182
DIMENOC - HostDime.com, Inc.
940
638
-32%
7018
ATT-INTERNET4 - AT&T Services, Inc.
934
624
-33%
24940
HETZNER-AS Hetzner Online AG RZ
872
593
-32%
26496
AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
855
560
-35%
20773
HOSTEUROPE-AS Host Europe GmbH
835
517
-38%
16276
OVH OVH Systems
803
511
-36%
13768
PEER1 - Peer 1 Network Inc.
707
421
-40%
14383
VCS-AS - Virtacore Systems Inc
596
420
-30%
32613
IWEB-AS - iWeb Technologies Inc.
585
367
-37%
23352
SERVERCENTRAL - Server Central Network
577
350
-39%
2514
INFOSPHERE NTT PC Communications, Inc.
561
341
-39%
2519
VECTANT VECTANT Ltd.
531
326
-39%
15003
NOBIS-TECH - Nobis Technology Group, LLC
521
322
-38%
22773
ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc
484
315
-35%
6830
LGI-UPC UPC Broadband Holding B.V.
453
307
-32%
12322
PROXAD Free SAS
449
299
-33%
21788
NOC - Network Operations Center Inc.
442
295
-33%
17506
UCOM UCOM Corp.
422
293
-31%
6939
HURRICANE - Hurricane Electric, Inc.
414
284
-31%
16265
LEASEWEB LeaseWeb B.V.
407
284
-30%
3269
ASN-IBSNAZ Telecom Italia S.p.a.
402
281
-30%
29550
SIMPLYTRANSIT Simply Transit Ltd
392
271
-31%
19262
VZGNI-TRANSIT - Verizon Online LLC
390
262
-33%
Kudos
A few other organizations deserve a special shout out for helping with this effort. The great folks at Team Cymru have been tracking open resolvers and other badness online since before CloudFlare was even an idea. Their consistent efforts in this area have been awesome and we're in the process of partnering with them to help get the word out.
In addition, SoftLayer has been especially vocal and active in spearheading clean up efforts on its network. As they pointed out in a great blog post, because of the size and nature of their network, it's often difficult for them to police the configuration of software their customers run. Even so, they are actively reaching out to customers to educate them about the dangers of running open resolvers on their networks.
We greatly appreciate country CERTs/CSIRTs and various Information Sharing and Analysis Centers (ISACs) reaching out to us offering to get in touch with some of the less responsive network providers.
Going forward, we are happy to provide the IP addresses running open resolvers directly to any network provider that is interested in cleaning up their networks. If you're running a network on the list above, please don't hesitate to reach out to us and we'll get you the data you need to help with cleanup.