Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DDoS Attacks Via DNS Recursion

Zonk posted more than 8 years ago | from the to-understand-recursion-you-must-understand-recursion dept.

192

JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"

Sorry! There are no comments related to the filter you selected.

I must resist (-1, Offtopic)

Philip K Dickhead (906971) | more than 8 years ago | (#14935467)

Making recursive statements - like this one.

MOD REPLY TO PARENT UP (2, Funny)

quokkapox (847798) | more than 8 years ago | (#14935668)

Seriously, when one of these really impacts something or other, the people who are responsible will figure out what went wrong, fix it, and life will go on as usual. Maybe some of us will get away from the keyboards for a while, chat at the water cooler or something. Some of us will get a day off and others will get plenty of overtime.

The real risk is perhaps The Final Virus [catb.org] .

Fiction indeed... (1)

bsdluvr (932942) | more than 8 years ago | (#14935737)

"The real risk is perhaps The Final Virus."

"Though Linux passed Microsoft in web-server market share long ago, it remains second in overall share for intranet and general-purpose servers. But unless there is some break in the trend curves Linux really will be #1 around the beginning of 2005."

Oh...

Re:I must resist (5, Informative)

AKAImBatman (238306) | more than 8 years ago | (#14935674)

That's self-referential, not recursive. One does not immediately imply the other. GNU, on the other hand, is recursive.

Re:I must resist (1)

Philip K Dickhead (906971) | more than 8 years ago | (#14936009)

you say container, I say pointer...

Re:I must resist (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14936224)

Do you fucking LIVE on Slashdot or what? Holy shit, I see you karma whoring, and pandering to the lowest common denominator, in every single story I look at...and I only visit a couple of brief moments a week.

Get a girlfriend or something. Geez.

Re:I must resist (3, Funny)

Anonymous Coward | more than 8 years ago | (#14935780)

To know recursion, you must first know recursion.

Re:I must resist (2, Funny)

Soporific (595477) | more than 8 years ago | (#14935861)

The first rule of recursion is to not talk about recursion...

~S

Re:I must resist (2, Informative)

AKAImBatman (238306) | more than 8 years ago | (#14935948)

That's a self-referential paradox, not a recursive statement. The grandparent is an example of a recursive statement.

Re:I must resist (1)

Spy der Mann (805235) | more than 8 years ago | (#14935983)

The grandparent is an example of a recursive statement.

stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to stop talking about this thing called "recursion" that makes me yell at you to ...

Re:I must resist (1)

maxwell demon (590494) | more than 8 years ago | (#14936274)

To understand recursion, follow the instructions you get by adding its quote after the text "To understand recursion, follow the instructions you get by adding its quote after the text"

djbdns (3, Informative)

Russ Nelson (33911) | more than 8 years ago | (#14935491)

That's why you run djbdns [cr.yp.to] -- by default it's closed to recursive queries.

Re:djbdns (5, Informative)

PaisteUser (810863) | more than 8 years ago | (#14935592)

It's not that difficult to make BIND9 not respond to recursive queries, add "recursion no;" to the "options {};" section of the named.conf file, reload the config and your good to go.

Re:djbdns (0)

Anonymous Coward | more than 8 years ago | (#14935739)

Done and done. 3 DNS servers, 3 minutes.

Re:djbdns (2, Informative)

Russ Nelson (33911) | more than 8 years ago | (#14935891)

Your users are going to be a little upset when they discover that their DNS server doesn't resolve anything anymore.

You see, the chief difficulty is *exactly* the same as the open smtp relay problem. Back when everybody on the Internet knew each other, and abuse was resolved with a phone call, nobody understood that some services needed to be authorized, and some needed to be public. Thus, relaying and delivery SMTP servers were the same thing, and caching and authoritative DNS servers were the same thing. The big challenge with this issue is not reconfiguring BIND 9 to not recurse. The big challenge is to split your caching from your authoritative DNS servers.

Re:djbdns (3, Interesting)

Perl-Pusher (555592) | more than 8 years ago | (#14936021)

I have 3 dns servers are NAT'd on the private lan and allow recursion, the public one outside doesn't. I'm not a DNS expert but I haven't had any issues from users or attacks.

Re:djbdns (5, Funny)

Russ Nelson (33911) | more than 8 years ago | (#14936235)

You have a correct configuration. You gain 2 skill points.

Fixing bind9 (5, Informative)

pjkundert (597719) | more than 8 years ago | (#14935972)

If you run an internet facing bind9 DNS server, you may want to allow recursion (caching) to your internal clients, while continuing to serve DNS requests to external clients for your domains (those for which you are "authoritative").

Lets say that your local LAN and WLAN networks are 192.168.0/24 and 192.168.1/24, respectively. Make the following additions to your /etc/bind/named.conf.options (or equivalent):

options { allow-query { any; }; allow-recursion { 192.168.0.0/24; 192.168.1.0/24; localhost; }; ...

Re:djbdns (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14935597)

Yes because switching to a new dns server you know nothing about is safer then updating the config on your current setup

Re:djbdns (0)

Anonymous Coward | more than 8 years ago | (#14935862)

Yes because switching to a new dns server you know nothing about is safer then updating the config on your current setup

What you know about djbdns is that you have the code to look at and that everyone in the industry that cares about security uses it.

What you know about bind is that you have the code to look at and that everyone in the industry that cares about security avoids it.

Re:djbdns (1, Informative)

Anonymous Coward | more than 8 years ago | (#14935917)


Really?

Why, then, does the OpenBSD team use a hardened version of BIND whilst DJBDNS remains a bit player?

Re:djbdns (1)

eln (21727) | more than 8 years ago | (#14936073)

That has more to do with DJBDNS's license than its performance. DJBDNS is not GPL, and is certainly not BSD licensed.

See here [cr.yp.to]

Re:djbdns (1)

Russ Nelson (33911) | more than 8 years ago | (#14936199)

Because djb refuses to let the OpenBSD folks make changes. Note that they don't actually have any changes they want to make. They argue that they must be able to make changes without negotiating with the author of the code. djb says, with good reason, that nobody writes more secure code than himself, so any patches written by somebody else would be unlikely to make the code more secure. Both parties are arguing from reasonable positions, it's just that they are incompatible positions.
Thus, BIND9 (which needs to be hardened) versus djbdns (which is shipped without security holes).

Re:djbdns (2, Interesting)

eln (21727) | more than 8 years ago | (#14935925)

I'm a big fan of DJB's software, and I use most of it regularly. However, if you've ever actually looked at his code, you might decide having the ability to look at his code is a negative for everyone except for maybe the ibuprofen industry.

Re:djbdns (1)

Russ Nelson (33911) | more than 8 years ago | (#14936016)

It's a style of coding; sure. If you're not used to it, it can be hard to read. But he gets a bunch of things right, like checking EVERY malloc for failure. Like not merely exiting when a malloc fails, but instead exiting with a special code for temporary failure, or in the case of a daemon which cannot exit, sleeping until memory becomes available. Like making counted strings easy to use in C (null termination is the tool of the demons in charge of buffer overflows). Like making it trivially easy to avoid memory leaks. Like subtle things like str_chr always returning a usable pointer, rather than NULL sometimes and a pointer to the character other times like strchr does.

Re:djbdns (1)

eln (21727) | more than 8 years ago | (#14936044)

Don't get me wrong, I have a lot of respect for his techniques, and his code is rock solid. But, as you say, it can be rather cryptic.

Most people I know of that won't use his code cite things like his personality, which they generally only know by reputation. Personally, I don't give a toss about how difficult a person the developer of my software is, I just want to use good software. It's not like I'm going to be taking the guy out to dinner any time soon.

Separate authoritative and recursive (4, Informative)

Aspirator (862748) | more than 8 years ago | (#14935635)

I am quite a fan of djbns, but the key here is to separate authoritative and
recursive, which is something that DJB has been preaching for a while.

Consequently djbdns won't do this, but it is quite possible to make bind not
do this also. (In fact Bind now has come round and reccomended this.)

It seems to me like a no-brainer, why is splitting the two such a problem?

SDNS wouldn't hurt either, but that will take a lot more doing.

Re:Separate authoritative and recursive (2, Informative)

Russ Nelson (33911) | more than 8 years ago | (#14935718)

why is splitting the two such a problem?

It isn't that hard, but it's perceived to be difficult. You have to set up your authoritative records on a separate IP address from your current DNS server (e.g. using tinydns). Then you tell your registrar that your nameserver has a different IP address. At that point, the only queries coming to your old IP address should be recursive queries coming from your users. Then you can close off recursive queries coming from the rest of the net (e.g. using dnscache).

Then you have to make your secondarying work, which may be easy, or merely annoying depending on your setup.

I love djbdns (-1, Flamebait)

winkydink (650484) | more than 8 years ago | (#14935660)

too bad the author is such a dickhead though.

Re:I love djbdns (1)

Russ Nelson (33911) | more than 8 years ago | (#14935736)

Eh, he's gotten a lot better. Hey, everybody was young when they were young. It's just that not all of us inflicted our youth on others. He just writes good software these days. If you don't use it, well, it's your loss.

Re:I love djbdns (1)

winkydink (650484) | more than 8 years ago | (#14935828)

Really? Has he stopped with the peurile name-calling?

Re:I love djbdns (2, Interesting)

Russ Nelson (33911) | more than 8 years ago | (#14935929)

When is a spade not a spade? If someone engages in puerile activity, don't they deserve a puerile name? djb (the old djb, anyway)'s biggest problem is that he didn't give people the truth gently. He would tell people "That's stupid, and you're being stupid for proposing it." The best djb quip I ever heard was:

djbwm - it's the best window manager in the world, but when you try to move a window, it argues with you for ten minutes that it was already in the right place.

Re:I love djbdns (0)

Anonymous Coward | more than 8 years ago | (#14936095)

He also teaches at UIC, so that can be a problem for some people (his students).

Re:I love djbdns (0)

Anonymous Coward | more than 8 years ago | (#14935825)

And that matters to you how? When you can write better software then he can maybe you can have your say, but until then trash-talking someone you don't know is rude.

Re:I love djbdns (1)

winkydink (650484) | more than 8 years ago | (#14935846)

And assuming I don't know him is preposterously presumptive.

That's by Berenstain? (3, Insightful)

Philip K Dickhead (906971) | more than 8 years ago | (#14935670)

With his weird license? God. He writes good software. He's even a bloody certified genius, but he's amost as insufferable as Dave Weiner. Don't try and submit a patch - unless you are just donating to his case, and want nothing as a contributor. Also, be prepared for the contempt of his responses.

Besides, who wants software written by a cartoon bear?

Re:That's by Berenstain? (0)

Anonymous Coward | more than 8 years ago | (#14935696)

His software is "public domain". That is to say, the software has no license. How can "no license" be confusing?

Re:That's by Berenstain? (0)

Anonymous Coward | more than 8 years ago | (#14935751)

His software isn't remotely public domain. http://cr.yp.to/distributors.html [cr.yp.to] gives his licensing details, which make it quite clear he's an idiot.

Re:That's by Berenstain? (1)

Russ Nelson (33911) | more than 8 years ago | (#14935841)

Okay, so obviously we can see why you clicked on the "Post Anonymously" checkbox. I think Slashcode needs "Post Anonymously" to be a dropbox of reasons why you're posting anonymously:

Post Anonymously because:
    o Posting something stupid
    o Posting something illegal
    o Posting something embarrassing
    o Posting something shameful

I think you would have selected the last one.

Re:That's by Berenstain? (2, Informative)

Russ Nelson (33911) | more than 8 years ago | (#14935764)

No, most of his software is copyrighted. The only djb software which is in the public domain is software that he has explicitly given to the public domain. The term for the rest of his software is "license-free". You don't need a license to use it. Just download it! Copyright law lets you do anything you want with a copyrighted work, except redistribute it. You can publish patches, as we've done with netqmail [qmail.org] .

Re:That's by Berenstain? (1)

killjoe (766577) | more than 8 years ago | (#14936111)

"You can publish patches, as we've done with netqmail."

Believe it or not that why I moved from qmail to postfix. I wanted to patch our version of qmail to add a feature but I could not recreate our current binary because I had no idea which set of patches were applied to it. It seemed easier to install posfix and configure that (and it was!).

Re:That's by Berenstain? (1)

Russ Nelson (33911) | more than 8 years ago | (#14936158)

I note that you didn't say you were using netqmail. We intend for your problem to be exactly and precisely solved by netqmail. If it's not, you should complain on the qmail@list.cr.yp.to mailing list. And we WILL listen to you, and you WILL get a response (unlike, say, complaining to djb).

Wrong wrong wrong (2, Informative)

A nonymous Coward (7548) | more than 8 years ago | (#14935852)

His license forbids distributing binaries unless they are made from his sources. You want to add any of the many well known patches? Great, you distribute his source and your patches, you do not distribute patched sources and you do not distribute binaries.

No way is DJB software public domain.

In fact, I bet a dollar you don't even know what public domain is.

Right right right (1)

Russ Nelson (33911) | more than 8 years ago | (#14936219)

I'll also bet a dollar that he doesn't know what public domain is. I'll even give two to one odds against it.

Why do you think you need a license? (1)

Russ Nelson (33911) | more than 8 years ago | (#14935813)

Why do you think you need a license? Copyright law doesn't impose ANY restrictions on what you do with something you've downloaded. It only stops you from making copies.

Oh, and look at qmail-1.03.tar.gz#CREDITS -- my name is in there because of patches I've submitted to djb. Granted, he rewrote most of my code because his design was better than mine, but just because most patches 1) suck, 2) aren't necessary, 3) make the code worse, and 4) are badly design, doesn't mean that all are.

Re:Why do you think you need a license? (0)

Anonymous Coward | more than 8 years ago | (#14935980)

Downloading /is/ making a copy.

Unlike the GNU GPL, copyright law does not make a distinction between "copying" and "distributing". That is why (in the US) you have the fair use right to make *one* copy of any copyrighted work for archival purposes. You cannot make two copies -- even if neither ever leaves your posession -- without explicit permission (ie, a license) from the copyright holder.

If you were allowed to, say, make an arbitrary number of copies of MS Windows so long as you didn't distribute it, you would be allowed to install it on an arbitrary number of computers /without violating copyright law/. Now, since a corporation is a person under the eyes of the law, GM could buy a single copy of WinXP and intall it on every single one of its desktop systems. Sure, they'd be in violation of the EULA, but (legitimacy of shrink-wrap EULAs notwithstanding) that falls under an entirely different section of law (ie, contract law).

Obviously this is not the state of affairs under the current regime, so by contradiction QED.

Re:Why do you think you need a license? (1)

Russ Nelson (33911) | more than 8 years ago | (#14936076)

Downloading /is/ making a copy.

True, but it is djb who is making the copy, not you. Every copy he gives you is a legally independent copy, which you are free to do whatever you want with, including give it away to someone else.

You cannot make two copies without explicit permission (ie, a license) from the copyright holder.

So? If you download a copy A of djb's software, and then legally copy it to make A', and you want another copy B, just go download it. djb is happy to give you as many separate copies of his software as you think you need.

Re:Why do you think you need a license? (0)

Anonymous Coward | more than 8 years ago | (#14936125)

Sure. I wasn't disagreeing with your point about djbdns per se, but with the statement as descriptive of copyright in general.

Re:Why do you think you need a license? (1)

kimvette (919543) | more than 8 years ago | (#14936091)

Why do you think you need a license? Copyright law doesn't impose ANY restrictions on what you do with something you've downloaded. It only stops you from making copies.

You got that ALMOST right. Let's correct it:

Why do you think you need a license? Copyright law doesn't impose ANY restrictions on what you do with something you've downloaded. It only stops you from making and distributing copies which are not in accordance with the Fair Use clause.

There. Much better. Methinks you work for the MPAA or RIAA.

Re:Why do you think you need a license? (2, Insightful)

Russ Nelson (33911) | more than 8 years ago | (#14936137)

Yeah, but we're not talking about copying which falls under fair use. Incorporating a copy of code into a unidiff patch would be fair use (commentary). Making a copy of a djb subroutine for pedantic purposes ("see how he does this") would be fair use. Making a copy of code which is no longer for sale and cannot be purchased for any reasonable price might be fair use. Making a copy of code which is freely downloadable elsewhere -- even if you use it to create a derived work -- is almost certainly not fair use. Fair use always ends up being a judgment call on part of a judge. You'd always prefer not to have to rely on fair use.

Re:Why do you think you need a license? (1)

cperciva (102828) | more than 8 years ago | (#14936412)

Making a copy of a djb subroutine for pedantic purposes ("see how he does this") would be fair use.

I hate to be pedantic about this, but I think you mean pedagogical purposes.

Re:djbdns (1)

rob_squared (821479) | more than 8 years ago | (#14935683)

Isn't this just anothery iteration of, "people abuse technology?"

Though if you're setting up a DNS server, you should have a fair amount of expertise on how those abuses can arise and limit the possibility.

Re:djbdns (0)

Anonymous Coward | more than 8 years ago | (#14935845)

caveat: I am admittedly not the world's greatest DNS admin. I wouldn't mind running a couple of slaves on djbdns, but fuck me skating if there's a way to transfer my DNS data over. I have roughly 200 domains I'm admin for, and about 75 class-C nets. There's no way I'm going to copy that data in by hand. djbdns' docs are mind-numbing in both obtuseness and readability and AFAIK there's no way to manage the damn thing via any sort of GUI.

Doctor, it hurts when I go like this (3, Insightful)

$RANDOMLUSER (804576) | more than 8 years ago | (#14935545)

> 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

OK, don't do that then.

Re:Doctor, it hurts when I go like this (1)

mph (7675) | more than 8 years ago | (#14935689)

No, this is: "Doctor, it hurts me when that guy over there does this..."

"Don't do that, then" is not helpful advice to the people who are suffering from this attack.

Recursion == recursion == recursion == ... (3, Funny)

bcat24 (914105) | more than 8 years ago | (#14935581)

recursion: n.

    See recursion [catb.org] . See also tail recursion [catb.org] .

From the Jargon File [catb.org] .

Could someone explain how the attack works? (1, Interesting)

defile (1059) | more than 8 years ago | (#14935601)

From what I understand of DNS resolvers, this attack can't work unless there's another compromise at play here. Either a compromise of one of the victim host's zones, or a compromise of the servers hosting the open resolvers themselves.

Re:Could someone explain how the attack works? (5, Informative)

Anonymous Coward | more than 8 years ago | (#14935677)

No compromise needed. You just send requests to the DNS server spoofing yourself as the victim's IP. (UDP is much easier to spoof, and can be sent out very quickly.) The replies, which are some 30 times larger than the requests, get sent to the spoofed IP (victim). It is a classic form of amplification attack.

Re:Could someone explain how the attack works? (0, Troll)

winkydink (650484) | more than 8 years ago | (#14935679)

Come on now. How dare you confuse the hyperbole with things like facts.

Re:Could someone explain how the attack works? (5, Informative)

LurkerXXX (667952) | more than 8 years ago | (#14935700)

Then you don't understand DNS resolvers. Did you bother reading the linked site? All you need to do is query an open resolver with some domain you set up (ex my.span.com), then change the authoritiative DNS of your registered domain as the target open DNS resolver. Now whenever someone anywhere in the world queries for my.spam.com, it hits your DNS server (until their local server caches it). It looks like you are hosting the spammer.

Another problem:
(Quoting a post on the other site)"they can send a 70 byte packet to your DNS server, and your DNS server will send a 500+ byte packet to the victim. With EDNS0, that can be 4,000+ bytes.

So with a dialup account, it would be possible to saturate a T1.

There's plenty of ways for them to mess with you without any 'compromised' machines on your network.

Re:Could someone explain how the attack works? (1, Informative)

Anonymous Coward | more than 8 years ago | (#14936008)

The problem is not only with the amplitude increase, but with the multiple responses. The most common amplification ratio is 2.5:1 (a 47 byte packet with a 117 byte return). Compound that with the fact that it is trivial to find servers that replay this back 8-12 times, and you've got a real problem. 8 * 2.5 gives you a total of a 20x amplification of the packets you send out, which is fairly significant. Also, servers that replay these responses up to 24 times are not uncommon. This type of thing has been around for years, but it is only now coming into the spotlight as it becomes a more common method of attack.

Re:Could someone explain how the attack works? (0)

Anonymous Coward | more than 8 years ago | (#14936010)

The same way /. works, if your site gets posted.

That's a bold statement (2, Interesting)

fak3r (917687) | more than 8 years ago | (#14935602)

having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'

Anyone want to discuss how DNS Cache [cr.yp.to] addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?

Re:That's a bold statement (1)

kindbud (90044) | more than 8 years ago | (#14936321)

Well to start with, dnscache supports simple ACLs for recursion requests. You can have a publically accessible DNS cache for your organization, which won't resurse for the whole world. Better to use a VPN, though, but not everyone can do that. So if you gotta do it, dnscache is a good choice.

The authoritative server tinydns does not cache at all, and so it is useless for this attack.

GREAT... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14935607)

Now if only someone could do this to slashdot... Then the Web would be a better place... ;-)

Re:GREAT... (1)

pheco (957437) | more than 8 years ago | (#14936221)

Now if only someone could do this to slashdot... Then the Web would be a better place... ;-)


Yeah then people wouldn't be able to find out about such things and thus not do them to slashdot?

Old NEws (0)

Anonymous Coward | more than 8 years ago | (#14935629)

This has been happening for years, and security folks have been saying to make sure you don't have recursive DNS servers open to the public for years. Not sure how this is news.

Re:Old NEws (4, Informative)

Intron (870560) | more than 8 years ago | (#14935889)

Correct. Here [cert.org] is the CERT writeup from 2000.

Disable recursion in BIND (5, Informative)

Ponga (934481) | more than 8 years ago | (#14935646)

Put this line in your zone definition:
recursion no;

Problem solved.

Re:Disable recursion in BIND (0)

Anonymous Coward | more than 8 years ago | (#14935922)

Problem solved......unless your customers rely on your name servers for dns.

Re:Disable recursion in BIND (1)

tepples (727027) | more than 8 years ago | (#14936059)

unless your customers rely on your name servers for dns.

Then have two separate DNS servers: one non-recursive server in the DMZ for serving your domain to the Internet and one recursive server behind the firewall for serving the Internet to your customers.

Re:Disable recursion in BIND (1)

Cheeze (12756) | more than 8 years ago | (#14936120)

let customers behind your firewall for dns?

What kind of network are you running?

If you have internet-based customers that get services from you that require DNS, you better turn on recursion or those will be some pissed off customers.

Re:Disable recursion in BIND (1)

Kakurenbo Shogun (64436) | more than 8 years ago | (#14936100)

I tightened up my DNS configuration when it was being abused for one of these attacks [geckotribe.com] last October by adding the following to named.conf:

options {
      allow-recursion { 127.0.0.1/32; };
};

That allows my server to use the local copy of bind for recursive queries, but limits everyone else to queries for which my server is authoritative. Bandwidth usage went from practically off the chart to low enough not to cost me extra for bandwidth immediately, and soon the attacker stopped trying to abuse my server.

overwhelming floods of amplified data (1, Informative)

digitaldc (879047) | more than 8 years ago | (#14935654)

Name servers are specialized computers that help direct Internet traffic to its destinations. The attacker then sent falsified requests to the compromised directory computer, which unleashed overwhelming floods of amplified data aimed wherever the attacker wanted.

Suggestion:
-Verify requests
-Verify directory computers have not been comprimised
-Disallow amplified data
-Build a new secure system for handling traffic

I just want to say... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14935724)

How fucking sweet niggers are!

They smell great, they work hard, and they are all honest people!

There is a defense (3, Funny)

Alwin Henseler (640539) | more than 8 years ago | (#14935793)

FTA: "Silva said the attacks earlier this year used only about 6 percent of the more than 1 million name servers across the Internet to flood victim networks. Still, the attacks in some cases exceeded 8 gigabits per second, indicating a remarkably powerful electronic assault."

/.ers will know that only the mighty foot of Chuck Norris [chucknorrisfacts.com] is powerful enough to kick back such a massive DDoS attack. There is a problem though: since there is only 1 of him, Chuck can't defend more than one site at a time. And ofcourse his ourly rates are a bit steep, too.

Vary your mileage may.

Re:There is a defense (0, Offtopic)

SomeoneGotMyNick (200685) | more than 8 years ago | (#14935885)

Chuck can't defend more than one site at a time

He also can't sing either... as evidenced on the theme song of Walker, Texas Ranger.

(sniff..... sniff..sniff..) I love the smell of burning karma in the morning.

Split-split DNS Design (4, Informative)

lazarus (2879) | more than 8 years ago | (#14935945)

For enterprise systems a split-split DNS design is the best. There are three components to this design:

ADVERTISER
RESOLVER
INTERNAL

The advertiser sits outside, Internet-facing, and is only responsible for resolving outside queries for your own domains. It does not do recursion or dynamic updates, and has a secured cache.

The resolver and internal sit inside, are intranet-facing, and handle internal requests for outside domains, and internal requests for internal domains respectively.

There are lots of articles on-line which show how to set this up.

Re:Split-split DNS Design (2, Informative)

eqdar (820698) | more than 8 years ago | (#14936433)

Exactly -- a split DNS setup is quite easy to implement, and is an elegant solution

There are lots of articles on-line which show how to set this up.

You might want to check http://www.castalie.org/Linux/DNS.html [castalie.org] for an example implying BIND as an internal resolver and NSD as an authoritative-only advertiser,

Recursion considered harmful (4, Funny)

Anonymous Coward | more than 8 years ago | (#14935952)

Should have used gotos! -1 for the functional language weenies!

Known since February 2000 (0)

Anonymous Coward | more than 8 years ago | (#14935956)

TESO - Nameserver traffic amplify and NS route discovery [seclists.org] .

Who does not learn from history is doomed to repeat it... oh, wait, its still the same bug.

In other news... (1, Redundant)

fahrbot-bot (874524) | more than 8 years ago | (#14935974)

...researchers have confirmed that posting a link in a Slashdot article is just as effective as other DDoS Attacks.

When BIND is fixed I'll implement it (1, Interesting)

jmorris42 (1458) | more than 8 years ago | (#14936022)

There really isn't a good reason one nameserver can't serve internal and external users. All that is needed is recursive lookups need to be restricted to the internal IP space. It doesn't look like BIND can currently do that but I suspect that if this problem is really serious it will quickly gain the ability.

Some of us don't like the idea of maintaining more servers than are absolutely required, this looks like a pretty bogus reason to install another set of nameservers.

Re:When BIND is fixed I'll implement it (1)

questionlp (58365) | more than 8 years ago | (#14936113)

You can use the allow-recursion directive to limit the IP addresses that are allowed to do recursion. For instance, if your internal IP space is 192.168.0.0/24 and want to allow localhost recursion, use the following in the options section of named.conf.

allow-recursion { 127.0.0.1; 192.168.0.0/24; };

I don't know if it's foolproof, but it's better than no restrictions at all.

Re:When BIND is fixed I'll implement it (0)

Anonymous Coward | more than 8 years ago | (#14936275)

Uhh...

allow-recursion { 127.0.0.0/8; 192.168.0.0/24; };

Or else 127.168.32.117 (still localhost) doesn't work.

Hasn't BIND implemented it already? (1)

swb (14022) | more than 8 years ago | (#14936222)

Hasn't it been fixed for some time via the allow-query and allow-recursion configuration options?

Re:When BIND is fixed I'll implement it (0)

Anonymous Coward | more than 8 years ago | (#14936230)

Uh, yeah bind can do it. You can either setup two different views, one for recursive queries and one for authoritative queries. Or you can just do a allow-recursion { whatever }; I guess reading the docs instead of posting nonsense would be out of the question though huh?

Of course there is... (4, Informative)

emil (695) | more than 8 years ago | (#14936309)

There really isn't a good reason one nameserver can't serve internal and external users.

Back in the bind 4 days, when I did serious DNS, my company wanted a few servers visible in their domain(s) for external dns host resolution.

For people behind the firewall, they wanted a far more extensive list of hosts that were not to be seen for queries outside the firewall.

I did this by using scp to transfer the zone files from the external to the internal DNS server; the internal server would then "cat" the additional hosts to the zone and HUP the named.

AFAIK modern BIND uses "zones" so you can accomplish the above on one server, if you want. I've never used it, but I can see a number of situations where I'd need my above solution even with this feature.

What BIND needs is not a "recursion no;" option, but instead a "recursion eth0;" or "recursion 1.2.3.*;" so recursive queries must originate from a trusted network.

Remember also that not everyone in the world uses BIND - people with ActiveDirectory or NDS name servers might be screwed until a vendor patch.

Re:Of course there is... (0)

Anonymous Coward | more than 8 years ago | (#14936457)

While the internal vs. external hosts issue is quite easy to fix these days, what BIND still lacks is a way to synchronize both lists to a secondary server. Currently, the secondary can only transfer the zones it sees.

Re:When BIND is fixed I'll implement it (5, Informative)

19thNervousBreakdown (768619) | more than 8 years ago | (#14936312)

view "internal" {
  match-clients {
    10.0.0.0/8;
  };
  recursion yes;
  zone "example.com" {
    yadda yadda yadda;
  };
};

view "external" {
  match-clients {
    any;
  };
  recursion no;
  zone "example.com" {
    blah blah blah;
  };
};

Re:When BIND is fixed I'll implement it (2, Informative)

GeekWithGuns (466361) | more than 8 years ago | (#14936425)

There already is a fix in BIND (at least in the 9.2.4 release shipped with RHEL 4 & all like distros). Just add this to your "options" section of your bind.conf:

allow-recursion { localhost; mygroup; 10.10.10.1; 10.2.3.0/24; };

This would allow the localhost, the machines on the mygroup ACL, one computer at 10.10.10.1 and all the hosts in 10.2.3.0/24 access to recursive queries.

If you don't need to provide recursive lookups at all, you can just use this:

recursion no;

old new (2, Informative)

7x7 (665946) | more than 8 years ago | (#14936032)

This is old news. If you're running an open DNS server, you're very likely participating in someonelse's DDoS attack and have been for the last couple years. We bought a company last year and part of my job was to assimilate their DNS systems that were reportedly flaking out constantly. I can't speak to the people running the servers before me, but the diagnosis was easy. Once we turned off recursion and convinced the network not to let spoofed UDP packets enter the network, the attacks stopped instantly.

1 question? (1)

CrackedButter (646746) | more than 8 years ago | (#14936078)

Would doing this get you banned from WoW?

Re:1 question? (1)

sabat (23293) | more than 8 years ago | (#14936151)

Only if you are running Cosmos. I heard that's bannz0rd. Also, hunters are losing aim-shoot, and the rogue class is getting canceled altogether (all rogues will automatically become warrior class). And all Alliance races will be getting a new racial ability: Detect Horde.

slashdot DNS is OPEN! (4, Informative)

Anonymous Coward | more than 8 years ago | (#14936157)

http://www.dnsreport.com/tools/dnsreport.ch?domain =slashdot.org [dnsreport.com]

FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 66.35.250.12 reports that it will do recursive lookups. [test]
Server 12.152.184.136 reports that it will do recursive lookups. [test]
Server 12.152.184.135 reports that it will do recursive lookups. [test]

See this page for info on closing open DNS servers.

Re:slashdot DNS is OPEN! (1)

J0nne (924579) | more than 8 years ago | (#14936463)

Obviously that is the thing causing the slashdot effect...

And to say CmdrTaco blamed it on us, the innocent readers with souped up Firefoxes and Reloadevery extensions...

History repeats itself (1, Funny)

Anonymous Coward | more than 8 years ago | (#14936267)

Back in 1983, IBM put Microsoft's "PC-DOS" on a "microcomputer." It was later named by Microsoft to MS-DOS, then simply DOS.

Digital Research cloned it and improved it in the late 1980s (early '90s?), making a program called DR-DOS that pundits called "a better DOS than DOS."

Flash forward to Yahoo News: [yahoo.com]

"Experts call the attack technique a 'distributed reflector denial of service,'" says the site.

So once again, DoS has been supplanted by DRDoS.

Re:History repeats itself (0)

Anonymous Coward | more than 8 years ago | (#14936377)

LOL.

Now if only Microsoft would fix Windows so it won't allow DRDoS...

DDoS? "R", matey! (2, Informative)

spyrochaete (707033) | more than 8 years ago | (#14936336)

This isn't just a simple DDoS because DNS servers point many other resources to the attack target. This makes this a Distributed Reflective Denial of Service Attack, or DRDoS. I published an article on this topic in 2600 Hacker Quarterly magazine in 2004. I was a network\security student when I wrote it so it might not teach you ubergeeks anything new.

http://hyppy.zapto.org/DRDoS-Spyrochaete.html [zapto.org]

TV Media (1)

Klowner (145731) | more than 8 years ago | (#14936343)

Oddly enough, just the title of this article alone explained the threat much more clearly than the anchorwoman on TV at noon. Why do they even report tech stuff if they can't even explain the problem? Sorry, this is off topic but I felt like whining about something..

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?