Don’t blame Oz hosts for DDoS-amplifying DNS servers

A US company has named over 50 Australian network operators for helping supercharge a three week distributed denial of service (DDoS) attack on one of its customers, but an Australian network engineer says the companies blamed probably aren’t at fault.

CloudFlare, a US-based website accelerator that recently opened a Sydney point of connection, has identified over 1,200 open DNS (domain name service) resolvers within Australia that helped make a botnet-controlled DDoS attack on its client large enough to rattle most businesses.

The top Australian “offender” that supported the 20 Gbps attack is Telstra, with 180 open DNS resolvers, followed by Austdomains.com.au, TPG, Uber Global and Net Logistics. The companies all had over 100 open DNS resolvers. Uber itself was the target of a DDoS attack that took it offline for over an hour this week.

DNS is the equivalent of a telephone directory that matches IP addresses with the name given to websites, while DNS resolvers act as a Directory Assistance service that helps uses interact with the underlying database.

Criminals that launch a DDoS are exploiting open DNS resolvers because the response to a DNS query is much larger than the initial request, according to CloudFlare’s CEO Matthew Prince. By hitting an open DNS server, an attacker can amplify a DDoS attack.

The problem for DDoS victims stems from the failure to verify the authenticity of the source of a request, says Prince. That means criminals can spoof a UDP request that is 64 bytes in size and can draw a response that is 50 times larger.

The pay-off for criminals exploiting the absence of a check is that they can significantly amplify their attacks — or launch larger attacks without having so many zombie PCs.

“Some of the Australian networks have been helpful in beginning to clean up their space, some have not. We reached out to AU Cert, which is the organization to which you generally report network threats, but have not yet received a response,” Prince told cso.com.au.

While a 20 Gbps DDoS is large, DDoS protection service, Prolexic, in October declared it “the new norm”. Attacks on Chinese companies regularly reach 45 Gbps while Prolexic and rival, Arbor Networks, have recorded attacks greater than 100 Gbps in the last year.

The Australian companies in CloudFlare’s list of culprits included iiNet-owned ISP Internode, which had over 80 open resolvers that were used in the attack against CloudFlafre’s client.

But that doesn’t mean Internode itself actually had 80 open DNS resolvers, according to network engineer Mark Newton.

“I’d be surprised if the ones run by Internode themselves weren’t locked down,” Newton old CSO.com.au.

The problem that CloudFlare has identified more likely stems from operators’ customers.

“It’s probably more accurate to say that Internode customers have around 80 open DNS resolvers,” said Newton.

“If you happen to be a Telstra customer and you run up an instance of BIND on a Linux box at home and port-forward it to the outside world, it’s hardly fair for that to count as an open resolver on Telstra’s network, is it?”

One reason why DNS resolvers remain open is that BIND — the dominant DNS software — is that by default it remains open in most operating systems, said Newton.

CloudFlare’s list of offenders might incorrectly blame operators, but the concern it raised is nonetheless legitimate.

“It isn’t hard to use an [Access Control Lists] to close it, but most people don’t bother,” said Newton.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.