DNS problem linked to DDoS attacks gets worse

Consumer modems are blamed for the rise in open recursive DNS servers

Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.

According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system.

As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said.

In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu.

Though he hasn't seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of "the increase in home network appliances that allow multiple computers on the Internet."

"Almost all ISPs distribute a home DSL/cable device," he said in an e-mail interview. "Many of the devices have built-in DNS servers. These can sometimes ship in 'open by default' states."

Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what's known as a DNS amplification attack.

In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim's computer. If the bad guys know what they're doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data.

By barraging several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline.

DNS experts have known about the open recursive configuration problem for years, so it's surprising that the numbers are jumping up.

However, according to Dagon, a more important issue is the fact that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year. That flaw could be used to trick the owners of these devices into using Internet servers controlled by hackers without ever realizing that they've been duped.

Infoblox estimates that 10 percent of the open recursive servers on the Internet have not been patched.

The Infoblox survey was conducted by The Measurement Factory, which gets its data by scanning about 5 percent of the IP addresses on the Internet. The data will be posted here in the next few days.

According to Measurement Factory President Duane Wessels, DNS amplification attacks do occur, but they're not the most common form of DDoS attack.

"Those of us that track these and are aware of it tend to be a little bit surprised that we don't see more attacks that use open resolvers," he said. "It's kind of a puzzle."

Wessels believes that the move toward the next-generation IPv6 standard may be inadvertently contributing to the problem.

Some of the modems are configured to use DNS server software called Trick or Tread Daemon (TOTd) -- which converts addresses between IPv4 and IPv6 formats. Often this software is configured as an open resolver, Wessels said.

Join the CSO newsletter!

Error: Please check your email address.

Tags dns flawddosDNS

More about France TelecomInfobloxTelefonica

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place