Open DNS resolvers behind gigantic DDoS

Internet network performance company CloudFlare has identified the nature of and networks behind a massive distributed denial of service attack against one of its customers.

Writing on the company's blog, Matthew Prince said a CloudfFare customer has been hit by a persistent attacker for the past three weeks, sending at least 20 Gbps of traffic around the clock.

Prince said that as CloudFlare had been able to mitigate the impact, the company decided to let the attack run its course and study it.

It found that the attack is done through Domain Name System (DNS) queries, using the stateless User Datagram Protocol (UDP) with spoofed source addresses.

Attackers can issue a small, 64-byte DNS query which produces a large reply from server, several kilobytes in size.

Prince said these DNS Amplification attacks produce some of the largest DDoS floods, with traffic in the gigabits per second range. One such attack reached 65 Gbps, he said.

The attacks make use of so-called open DNS resolvers that respond to recursive queries from any host on the Internet.

Prince called these the "bane of the Internet" and said the problem is at least a decade old.

"In total, we've seen 66,459 unique open resolvers participating in the attack," Prince wrote.

To stop resolvers from being abused in DDoS attacks, recursion should be turned off. Resolvers should only respond to queries from the network they're serving, he said.

In the comments, Paul Vixie of the Internet Systems Consortium and one of the authors of the Berkeley Internet Name Daemon (BIND) suggested limiting the number of responses transmitted from authoritative servers to queries that come from the same place and which have the same answer.

"Powerful authority DNS servers are like orbital death rays, triggered by anybody," Vixie said.

Public DNS resolvers such as OpenDNS and Google allow recursive queries from any IP address, but have rate-limiting in place to prevent abuse, Prince noted.

While the United States has the most open resolvers due to the sheer number of networks in that country, per capita, Taiwan is also a significant offender.

According to Cloudflare, Australia has 1237 open resolvers, almost as many as India. New Zealand has 167.