IT Pro confession: I contributed to the DDOS attack against Spamhaus

"""Let's say that you leave your recursive server open to the internet. Now not only can you ask your DNS server for information about other DNS servers on the internet, so can anyone else. If someone asks your server "where is www.google.com" a whole bunch of times then your server starts flooding google.com's DNS servers. For every 1 byte of data sent to your DNS server 50 bytes of traffic end up directed at the target."""<p>This explanation is skipping a key component of a DNS reflection attack. When the attacker makes a DNS request, they spoof their source address so it is the address of the host they want to attack. Thus they send a small request to your DNS server, and your DNS server returns a large response not to them, but to the host they're attacking.

The post slug is the best part of this article by far: "i_accidentally_the_internet" Full current URL in case it gets updated: <a href="http://www.theregister.co.uk/2013/03/28/i_accidentally_the_internet/" rel="nofollow">http://www.theregister.co.uk/2013/03/28/i_accidentally_the_i...</a>

I have a couple of name servers I've inherited since starting my job. How would I go about testing these servers to see if they're set up correctly (obviously I'm not interested in the forged UDP packets side of things, only testing to make sure that recursive look ups are disabled).

Whats a simple way to confirm by test your DNS server isn't doing recursion?

I don't understand why it's <i>necessary</i> for the server to be open, and have recursion enabled. I run a couple of authoritative name servers and have seen them used for amplification attacks. Sure, it's not as easy as querying every open recursive DNS server you can find for &#60;single_domain_with_huge_sized_reply&#62;.com, but there's still (literally) billions of unique hostnames on the internet which can be resolved "legitimately" via their authoritative name servers. There is no magical config option to prevent this; the only way to block this type of activity is to analyze traffic to find IPs that are repeatedly sending the same [spoofed] request.

Some have suggested that DNS move to TCP, but I don't think that's proper. The nature of DNS lends itself to connectionless, lightweight communication. That said, could the next iteration of DNS implement application-level handshaking?<p>The reason not to do this at layer 4 is because I, in the several minutes of pondering it, think it could break lots of security devices that track connection state across lots of computers in a network. Make some kind of<p><pre><code> C -&#62; S request C &#60;- S ack C -&#62; S yes C &#60;- S lots of data done C -&#62; S request C &#60;- S ack C -&#62; S no done</code></pre>

This really is a real issue. My home machine was an open recursor for a while too. I set up a dnsmasq installation and forgot to set an "except-interface" to restrict it to the internal network.<p>I even like to think I know this stuff well, but still got burned. I'm sure at the time my security analysis (if I even thought of the externally-facing issue) was "who cares if I expose a caching nameserver with no sensitive content to the rest of the internet?".

How disappointing. I thought it was going to be the story of a fed-up email admin breaking down and DoS'ing one of the scourges of the internet.<p>Blacklists are pure evil, and nothing will ever change my opinion of that. They cause far more problems than they solve. Granted, it's usually by idiot, over-zealous mail admins who block on merely being listed anywhere, rather than by weighted score.

one of my server got exposed too, it was being queried for ripe.net