[161719] in North American Network Operators' Group
RE: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jamie Bowden)
Tue Mar 26 07:51:15 2013
From: Jamie Bowden <jamie@photon.com>
To: Jared Mauch <jared@puck.nether.net>, Jay Ashworth <jra@baylink.com>
Date: Tue, 26 Mar 2013 11:50:52 +0000
In-Reply-To: <484C70F0-1549-4FD3-9BBE-31779897AE6C@puck.nether.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> From: Jared Mauch [mailto:jared@puck.nether.net]
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra@baylink.com> wrote:
> > ----- Original Message -----
> >> From: "Jared Mauch" <jared@puck.nether.net>
> >
> >> Open resolvers pose a security threat.
> >
> > Could you clarify, here, Jared?
> >
> > Do "open DNS customer-resolver/recursive servers" *per se* cause a
> problem?
> >
> > Or is it merely "customer zone servers which are misconfigured to recur=
se",
> > as has always been problematic?
> >
> > That is: is this just a reminder we never closed the old hole, or
> > notification of some new and much nastier hole?
>=20
> There have been some moderate size attacks recently that I won't go into
> detail here about. The IPs that are on the website are certainly being
> used/abused. A recent attack saw a 90% match rate against the "master li=
st"
> here. This means your open resolver is likely being used.
I'm just going to jump in here and ask what is probably a silly question, b=
ut let's suppose I just happen to have, or have access to, a botnet compris=
ed of (tens of) millions of random hosts all over the internet, and I feel =
like destroying your DNS servers via DDoS; what's stopping me from just dir=
ectly querying your servers continuously from said botnet until you melt? =
Those machines send you traffic indirectly through open resolvers, or hit y=
ou directly, but either way, it's the same number of machines issuing the s=
ame number of queries, and you're no less inundated. If your own servers r=
ate limit to protect themselves, you're losing valid traffic, and if they d=
on't, once you melt down, you're losing valid traffic...
Jamie
