Spamhaus attacks expose huge open DNS server dangers

Warnings of security problems posed by poorly configured DNS servers go mostly unheeded for years

Massive distributed denial of service attacks on Spamhaus this week focused widespread attention on the huge security threats posed by millions of poorly configured Internet Domain Name System (DNS) servers.

The attacks on Spamhaus that began March 19 were apparently launched by a group opposed to the Geneva, Switzerland-based volunteer organization's antispam work.

Several security firms described the attacks on the organization as the largest -- by far -- ever publicly known DDoS attacks to date.

In DDoS attacks, hackers typically try to take down a network by directing huge volumes of useless traffic to it. The traffic is usually generated using large botnets of compromised computers.

Large DDoS attacks have typically tended to involve between 4 gigabits per second to 10 Gbps of traffic.

The Spamhaus attacks involved traffic volumes that reached a staggering 300 Gbps -- said to be three times larger than the largest DDoS traffic seen to date and magnitudes greater than the traffic involved in a majority of past denial of service attacks.

The perpetrators behind the attack employed the well known, but infrequently used method DNS reflection to generate the huge stream of DDoS traffic directed against Spamhaus.

DNS servers are used primarily to look up and resolve domain names such as and to their corresponding IP addresses. If a DNS server does not have the domain information in its database or cache. it queries other nearby DNS servers for the information.

Ideally, DNS servers should be configured only to handle look up requests coming from within a specific domain or IP address range. So a DNS server belonging to an ISP should handle only requests coming from within the its IP address range.

In reality however, millions of DNS servers are configured by default to be open DNS resolvers that accept and respond to queries from outside their own domain, making them vulnerable to exploitation by attackers because virtually anyone on the Internet can use an open DNS server to handle genuine or malicious queries.

For instance, to generate DDoS traffic, the attackers behind the Spamhaus attack sent queries with a spoofed source address to tens of thousands of open DNS resolvers, said Matthew Prince, CEO of CloudFlare, which has been helping Spamhaus deal with the recent attacks.

The lookup requests were made to appear as if they came from Spamhaus. So the responses to the requests from the tens of thousands of open DNS resolvers were sent to Spamhaus, generating a huge volume of traffic.

To magnify the volume of traffic, the attackers crafted the look up queries in such a manner as to get each open DNS servers to respond with much larger volumes of data than normal, Prince said.

Denial-of-service attacks that take advantage of open DNS resolvers are not new.

As far back as in 2006, more than 1,500 organizations around the world were hit by a series of similar attacks, prompting wide concern from security experts.

Then, as now, many security experts warned that ISPs and others operating DNS servers must ensure that their systems are properly configured to prevent attacks such as the one launched against Spamhaus. The problem remains as pervasive as ever despite the warnings, experts note today.

The Open DNS Resolver Project , an effort by a group of security experts to draw attention to the issue, estimates that there are currently about 27 million DNS servers that are open resolvers. About 25 million of those pose a significant threat, according to the project's website.

According to Prince, barely 100,000 of the open resolvers were used to direct 300 Gbps of traffic against the organization. "What's spooky here is that only a tiny fraction of the open resolvers were used," he said. The attackers could easily have co-opted more DNS servers, Prince noted.

"This is a situations where some configuration changes on the DNS server side can help prevent the attacks," said Alex Cox, a principal security researcher with RSA Security's FirstWatch team.

But the required changes are difficult to get without a broad collaboration among ISPs. "The problem with a DNS attack is you can't really turn your DNS servers off," without causing widespread disruption, Cox said. "Once this thing blows over it will be interesting to see how some of the folks whose infrastructure was used, will respond."

The perpetrators of this week's attacks knew that Spamhaus had a good infrastructure in place to deal with denial of service attacks and therefore had to do something really big, said Dan Holden, director of the security and engineering response team at Arbor Networks.

Such attacks are not fully defendable but can be mitigated by ensuring that DNS servers are configured properly, he said. "The good news is that these open DNS resolvers will get a lot more visibility," following the attacks he said. "So hopefully the issue will get fixed."

Several standards are readily available to help ISPs and others operating DNS servers to configure systems to ensure they respond only to requests from their own users, said Mike Smith director of the customer security incident response team at Akamai.

DNS server operators also need to have egress filtering controls in place to ensure that the DNS traffic leaving their networks originated from inside their network, he said.

The Open DNS Resolver Project also calls on DNS server operators to consider implementing rate limiting software to prevent the sort of traffic amplification that was used in the Spamhaus attacks.

"There are things that need to get cleaned up. That is why we need some awareness of the problem," Smith said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingSpamhaussecuritycyberwarfare

More about Akamai TechnologiesArbor NetworksArbor NetworksGenevaHolden- General MotorsRSASwitzerlandTopicVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place