[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

> From: Jared Mauch [mailto:jared at puck.nether.net]
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra at baylink.com> wrote:
> > ----- Original Message -----
> >> From: "Jared Mauch" <jared at puck.nether.net>
> >
> >> Open resolvers pose a security threat.
> >
> > Could you clarify, here, Jared?
> >
> > Do "open DNS customer-resolver/recursive servers" *per se* cause a
> problem?
> >
> > Or is it merely "customer zone servers which are misconfigured to recurse",
> > as has always been problematic?
> >
> > That is: is this just a reminder we never closed the old hole, or
> > notification of some new and much nastier hole?
> There have been some moderate size attacks recently that I won't go into
> detail here about.  The IPs that are on the website are certainly being
> used/abused.  A recent attack saw a 90% match rate against the "master list"
> here.  This means your open resolver is likely being used.

I'm just going to jump in here and ask what is probably a silly question, but let's suppose I just happen to have, or have access to, a botnet comprised of (tens of) millions of random hosts all over the internet, and I feel like destroying your DNS servers via DDoS; what's stopping me from just directly querying your servers continuously from said botnet until you melt?  Those machines send you traffic indirectly through open resolvers, or hit you directly, but either way, it's the same number of machines issuing the same number of queries, and you're no less inundated.  If your own servers rate limit to protect themselves, you're losing valid traffic, and if they don't, once you melt down, you're losing valid traffic...