Spamhaus attacks expose huge open DNS server dangers

Warnings of security problems posed by poorly configured DNS servers go mostly unheeded for years

By , Computerworld |  Security

Massive distributed denial of service attacks on Spamhaus this week focused widespread attention on the huge security threats posed by millions of poorly configured Internet Domain Name System (DNS) servers.

The attacks on Spamhaus that began March 19 were apparently launched by a group opposed to the Geneva, Switzerland-based volunteer organization's antispam work.

Several security firms described the attacks on the organization as the largest -- by far -- ever publicly known DDoS attacks to date.

In DDoS attacks, hackers typically try to take down a network by directing huge volumes of useless traffic to it. The traffic is usually generated using large botnets of compromised computers.

Large DDoS attacks have typically tended to involve between 4 gigabits per second to 10 Gbps of traffic.

The Spamhaus attacks involved traffic volumes that reached a staggering 300 Gbps -- said to be three times larger than the largest DDoS traffic seen to date and magnitudes greater than the traffic involved in a majority of past denial of service attacks.

The perpetrators behind the attack employed the well known, but infrequently used method DNS reflection to generate the huge stream of DDoS traffic directed against Spamhaus.

DNS servers are used primarily to look up and resolve domain names such as and to their corresponding IP addresses. If a DNS server does not have the domain information in its database or cache. it queries other nearby DNS servers for the information.

Ideally, DNS servers should be configured only to handle look up requests coming from within a specific domain or IP address range. So a DNS server belonging to an ISP should handle only requests coming from within the its IP address range.

In reality however, millions of DNS servers are configured by default to be open DNS resolvers that accept and respond to queries from outside their own domain, making them vulnerable to exploitation by attackers because virtually anyone on the Internet can use an open DNS server to handle genuine or malicious queries.

For instance, to generate DDoS traffic, the attackers behind the Spamhaus attack sent queries with a spoofed source address to tens of thousands of open DNS resolvers, said Matthew Prince, CEO of CloudFlare, which has been helping Spamhaus deal with the recent attacks.

The lookup requests were made to appear as if they came from Spamhaus. So the responses to the requests from the tens of thousands of open DNS resolvers were sent to Spamhaus, generating a huge volume of traffic.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question