Major DDoS Attacks – Lock down Open DNS resolvers
Uncategorized March 30th, 2013Spamhaus, a major anti-spam group, has experienced unparalleled DDoS attacks (e.g., DDoS attack streams up to 300 gbps). Key safety advice is shared to mitigate this scale of attack so that a complete loss of the site does not occur:
QUOTE: The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. “If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network,” Wisniewski said. “If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes.”
CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput. As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week’s anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. “We’re lucky they used only 30k DNS resolvers,” said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.
That’s because, thanks to the use of DNS responders, attackers could punch well above their weight. “Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps — which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances,” said CloudFlare CEO Matthew Prince in a blog post. “Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them.”
