Good Web Security News: Open DNS Resolvers Are Getting Closed

This has been a rough week in the security industry with big attacks and compromises reported at companies from Facebook to Apple. We're therefore happy to end the week with some good news: the web's open resolvers, one of the sources of the biggest DDoS attacks, are getting closed.

Last October, we wrote a blog post about DDoS amplification attacks. This type of attack makes up some of the largest DDoSs CloudFlare sees, sometimes exceeding 100 gigabits per second (100Gbps). The attacks use DNS resolvers that haven't been properly secured in order to "amplify" the resources of the attacker. An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data.

The problem stems from misconfigured DNS resolver software (e.g., BIND) that is setup to respond to a query from any IP address. Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses.

While CloudFlare's network is very good at absorbing even these large attacks, the long term solution for the web is for providers to clean up the open resolvers running on their networks. We wanted to help with that so we engaged in a bit of name-and-shame at the end of the last blog post, listing the networks with the largest number of open resolvers. The good news is it worked: almost four months later our tests show that the number of open resolvers across the Internet is down more than 30%. The chart below shows the progress individual networks have made in cleaning up the problem.

ASN

Network

10/30/12

2/22/13

% Change

21844

THEPLANET-AS - ThePlanet.com Internet Services, In

2925

2216

-24%

3462

HINET Data Communication Business Group

2739

2213

-19%

36351

SOFTLAYER - SoftLayer Technologies Inc.

1075

781

-27%

9394

CRNET CHINA RAILWAY Internet(CRNET)

1052

774

-26%

4713

OCN NTT Communications Corporation

1044

722

-31%

45595

PKTELECOM-AS-PK Pakistan Telecom Company Limited

1030

716

-30%

4134

CHINANET-BACKBONE No.31,Jin-rong Street

970

705

-27%

33182

DIMENOC - HostDime.com, Inc.

940

638

-32%

7018

ATT-INTERNET4 - AT&T Services, Inc.

934

624

-33%

24940

HETZNER-AS Hetzner Online AG RZ

872

593

-32%

26496

AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC

855

560

-35%

20773

HOSTEUROPE-AS Host Europe GmbH

835

517

-38%

16276

OVH OVH Systems

803

511

-36%

13768

PEER1 - Peer 1 Network Inc.

707

421

-40%

14383

VCS-AS - Virtacore Systems Inc

596

420

-30%

32613

IWEB-AS - iWeb Technologies Inc.

585

367

-37%

23352

SERVERCENTRAL - Server Central Network

577

350

-39%

2514

INFOSPHERE NTT PC Communications, Inc.

561

341

-39%

2519

VECTANT VECTANT Ltd.

531

326

-39%

15003

NOBIS-TECH - Nobis Technology Group, LLC

521

322

-38%

22773

ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc

484

315

-35%

6830

LGI-UPC UPC Broadband Holding B.V.

453

307

-32%

12322

PROXAD Free SAS

449

299

-33%

21788

NOC - Network Operations Center Inc.

442

295

-33%

17506

UCOM UCOM Corp.

422

293

-31%

6939

HURRICANE - Hurricane Electric, Inc.

414

284

-31%

16265

LEASEWEB LeaseWeb B.V.

407

284

-30%

3269

ASN-IBSNAZ Telecom Italia S.p.a.

402

281

-30%

29550

SIMPLYTRANSIT Simply Transit Ltd

392

271

-31%

19262

VZGNI-TRANSIT - Verizon Online LLC

390

262

-33%

A few other organizations deserve a special shout out for helping with this effort. The great folks at Team Cymru have been tracking open resolvers and other badness online since before CloudFlare was even an idea. Their consistent efforts in this area have been awesome and we're in the process of partnering with them to help get the word out.

In addition, SoftLayer has been especially vocal and active in spearheading clean up efforts on its network. As they pointed out in a great blog post, because of the size and nature of their network, it's often difficult for them to police the configuration of software their customers run. Even so, they are actively reaching out to customers to educate them about the dangers of running open resolvers on their networks.

We greatly appreciate country CERTs/CSIRTs and various Information Sharing and Analysis Centers (ISACs) reaching out to us offering to get in touch with some of the less responsive network providers.

Going forward, we are happy to provide the IP addresses running open resolvers directly to any network provider that is interested in cleaning up their networks. If you're running a network on the list above, please don't hesitate to reach out to us and we'll get you the data you need to help with cleanup.