Spamhaus attacks expose huge open DNS server dangers
Denial-of-service attacks that take advantage of open DNS resolvers are not new.
As far back as in 2006, more than 1,500 organizations around the world were hit by a series of similar attacks, prompting wide concern from security experts.
Then, as now, many security experts warned that ISPs and others operating DNS servers must ensure that their systems are properly configured to prevent attacks such as the one launched against Spamhaus. The problem remains as pervasive as ever despite the warnings, experts note today.
The Open DNS Resolver Project , an effort by a group of security experts to draw attention to the issue, estimates that there are currently about 27 million DNS servers that are open resolvers. About 25 million of those pose a significant threat, according to the project's website.
According to Prince, barely 100,000 of the open resolvers were used to direct 300Gbps of traffic against the organization. "What's spooky here is that only a tiny fraction of the open resolvers were used," he said. The attackers could easily have co-opted more DNS servers, Prince noted.
"This is a situation where some configuration changes on the DNS server side can help prevent the attacks," said Alex Cox, a principal security researcher with RSA Security's FirstWatch team.
But the required changes are difficult to get without a broad collaboration among ISPs. "The problem with a DNS attack is you can't really turn your DNS servers off" without causing widespread disruption, Cox said. "Once this thing blows over it will be interesting to see how some of the folks whose infrastructure was used will respond."
The perpetrators of this week's attacks knew that Spamhaus had a good infrastructure in place to deal with denial-of-service attacks and therefore had to do something really big, said Dan Holden, director of the security and engineering response team at Arbor Networks.
Such attacks are not fully defendable but can be mitigated by ensuring that DNS servers are configured properly, he said. "The good news is that these open DNS resolvers will get a lot more visibility" following the attacks he said. "So hopefully the issue will get fixed."
Several standards are readily available to help ISPs and others operating DNS servers to configure systems to ensure they respond only to requests from their own users, said Mike Smith director of the customer security incident response team at Akamai.
DNS server operators also need to have egress filtering controls in place to ensure that the DNS traffic leaving their networks originated from inside their network, he said.
The Open DNS Resolver Project also calls on DNS server operators to consider implementing rate-limiting software to prevent the sort of traffic amplification that was used in the Spamhaus attacks.
"There are things that need to get cleaned up. That is why we need some awareness of the problem," Smith said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Cyber drills like Quantum Dawn 2 vital to security in financial sector
- Quantum Dawn 2 will test Wall Street's cyber readiness
- Pentagon accuses China of cyberattacks on U.S military, business targets
- Spamhaus attacks expose huge open DNS server dangers
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts