Don’t blame Oz hosts for DDoS-amplifying DNS servers

A US company has named over 50 Australian network operators for helping supercharge a three week distributed denial of service (DDoS) attack on one of its customers, but an Australian network engineer says the companies blamed probably aren’t at fault.

CloudFlare, a US-based website accelerator that recently opened a Sydney point of connection, has identified over 1,200 open DNS (domain name service) resolvers within Australia that helped make a botnet-controlled DDoS attack on its client large enough to rattle most businesses.

The top Australian “offender” that supported the 20 Gbps attack is Telstra, with 180 open DNS resolvers, followed by, TPG, Uber Global and Net Logistics. The companies all had over 100 open DNS resolvers. Uber itself was the target of a DDoS attack that took it offline for over an hour this week.

DNS is the equivalent of a telephone directory that matches IP addresses with the name given to websites, while DNS resolvers act as a Directory Assistance service that helps uses interact with the underlying database.

Criminals that launch a DDoS are exploiting open DNS resolvers because the response to a DNS query is much larger than the initial request, according to CloudFlare’s CEO Matthew Prince. By hitting an open DNS server, an attacker can amplify a DDoS attack.

The problem for DDoS victims stems from the failure to verify the authenticity of the source of a request, says Prince. That means criminals can spoof a UDP request that is 64 bytes in size and can draw a response that is 50 times larger.

The pay-off for criminals exploiting the absence of a check is that they can significantly amplify their attacks -- or launch larger attacks without having so many zombie PCs.

"Some of the Australian networks have been helpful in beginning to clean up their space, some have not. We reached out to AU Cert, which is the organization to which you generally report network threats, but have not yet received a response," Prince told

While a 20 Gbps DDoS is large, DDoS protection service, Prolexic, in October declared it “the new norm”. Attacks on Chinese companies regularly reach 45 Gbps while Prolexic and rival, Arbor Networks, have recorded attacks greater than 100 Gbps in the last year.

The Australian companies in CloudFlare’s list of culprits included iiNet-owned ISP Internode, which had over 80 open resolvers that were used in the attack against CloudFlafre’s client.

But that doesn’t mean Internode itself actually had 80 open DNS resolvers, according to network engineer Mark Newton.

“I'd be surprised if the ones run by Internode themselves weren't locked down,” Newton old

The problem that CloudFlare has identified more likely stems from operators’ customers.

“It’s probably more accurate to say that Internode customers have around 80 open DNS resolvers,” said Newton.

“If you happen to be a Telstra customer and you run up an instance of BIND on a Linux box at home and port-forward it to the outside world, it's hardly fair for that to count as an open resolver on Telstra's network, is it?”

One reason why DNS resolvers remain open is that BIND -- the dominant DNS software -- is that by default it remains open in most operating systems, said Newton.

CloudFlare’s list of offenders might incorrectly blame operators, but the concern it raised is nonetheless legitimate.

“It isn't hard to use an [Access Control Lists] to close it, but most people don't bother,” said Newton.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attacks

More about Arbor NetworksArbor NetworksCSOIinetInternodeLinuxTelstra CorporationTPG TelecomUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place