Importance of DNS server management from the perspective of large-scale DDoS attacks

In March of this year (2013), a large-scale DDoS attack occurred targeting both the Spamhaus Project, an anti-spam organization, and Cloudflare, a US company that supported the organization. This time, there was a report on the countermeasures in the program "DNS DAY" of "Internet Week 2013" held in Akihabara, Tokyo, so here we will explain the DDoS attack method and its countermeasures again.

Large-scale DDoS attack with "peak traffic over 300 Gbps"

"DDoS" is an abbreviation for Distributed Denial of Service, which is an attack method that puts an excessive load on the server or network of the other party from many places (devices) and drives it into a state of inoperability. DDoS attacks have been carried out many times, but the scale (traffic volume) is at most several hundred Mbps to several tens of Gbps, and rarely exceeds 100 Gbps.

On the other hand, the DDoS attack this time is extremely large, with the maximum attack scale exceeding 300 Gbps, and it has been confirmed that there are effects such as communication failures in some areas. Moreover, because DNS was the cause of the increase in the scale of the attack, it has come to be regarded as a major problem among Internet personnel.

The attack is triggered by sending a query to a cached DNS server called an "open resolver" that disguises the source as the IP address of the attack target. An open resolver that receives a spoofed source query will use it as the correct query for DNS name resolution and return the result to the spoofed IP address.

There are innumerable open resolvers around the world that can be exploited in an attack, and sending spoofed queries results in a large number of DNS responses being directed at the attack target. Due to the characteristics of DNS that "the response is larger (amplified) than the query" and the existence of a large number of open resolvers that can be exploited in the attack, a very large-scale DDoS attack was established. This attack method is called "DNS amplifier attack" or "DNS reflector attack".

Conceptual diagram of this attack (quoted from the lecture material of JPRS Morishita at the IPSJ IOT Study Group)

Efforts to eradicate open resolvers

Now, what is the "open resolver" that was abused in this attack and helped to increase the scale of the attack?

From the DNS mechanism, it should be clear what each cache DNS server should provide services. For example, if you are an ISP, you only need to provide the cache DNS server function to customers who have a service contract, and if you are a company, you only need to provide your own employees. However, in reality, there are many cache DNS servers on the Internet that accept queries from anywhere. This is called an "open resolver".

Internet officials are taking various measures against open resolvers that have helped large-scale attacks and whose "harmfulness" has become non-negligible. "Source verification (ingress filtering)" in which the DNS server detects the attacker's "source spoofing" ^* It is ideal to introduce technology, but this cannot be expected to have a significant effect unless it is applied to networks around the world. The current situation is that the response is not progressing. ^{* Mechanism defined in RFC 2827 (BCP 38). Ingress literally filters packets that spoof the source coming into your network.}

Therefore, in parallel with that, measures are taken at each DNS server. "Eliminating open resolvers" is one of them, and the cache DNS server can define what the service should be provided and restrict access from other networks.

However, although it is easy in theory, "an outside user is hanging on a cache DNS server that is not officially provided", "I used to be a customer, but even after moving to another company's service, DNS There is also an example such as "I have not changed the setting", so it seems that it is not easy to actually add access restrictions. It is difficult to contact people who are using from the outside without noticing it or people who are no longer customers of the company, and even if they can be contacted, "the net can not be used (become)" The problem is that there are cases where complaints are made.

Of course, even with that in mind, we cannot afford to leave the problematic open resolver alone. Even major ISPs that could not easily eliminate open resolvers due to the above-mentioned circumstances are gradually embarking on "eradication of open resolvers".

Changes in the number of open resolvers in the world (left) and in Japan (quoted from JPCERT / CC's "Open Resolver Confirmation Site")

JPCERT / CC has released an "open resolver confirmation site", and is it set to use the open resolver on the user's PC, and is the device (broadband router, etc.) of the Internet connection source set to the open resolver? I'm calling to confirm. You should take this opportunity to check again and review the settings.

▼ Open Resolver Confirmation Site (JPCERT / CC) ▼ Overview and Countermeasures for DNS Reflector Attacks Using Open Resolver-You Are the Perpetrator Without Knowing- (JPRS Morishita's Lecture Material: PDF) ▼ Open Resolver ) Attention (JPNIC)

Measures with authoritative DNS server and JP DNS

What we have seen so far is the measures for cache DNS servers. However, in a DNS amplifier attack (DNS reflector attack), not only the cache DNS server but also the authoritative DNS server can be abused. Therefore, countermeasures are required for the authoritative DNS server, but the big problem here is that the authoritative DNS server cannot be restricted to a specific access source (it is necessary to accept queries from anywhere on the Internet). ..

Therefore, a technology called "DNS RRL (Response Rate Limiting)" that can be applied to authoritative DNS servers has been developed. Roughly explaining how it works, it "limits the number and size of high-frequency DNS responses that can be regarded as the same." Although it does not completely prevent DNS amplifier attacks, it can reduce its effectiveness as a stepping stone and reduce the scale of attacks. In Japan, the Japan Registry Services (JPRS), which manages and operates JP domain names, is being introduced. It can be said that the measures taken by the authoritative DNS server are steadily progressing.

What I would like to ask the network administrator

Stable operation of DNS is important for stable operation of the Internet. If DNS cannot provide the service correctly, it will not be possible to connect to the other party correctly or send mail to the other party correctly.

On the other hand, DNS is a distributed database, and the cooperation of not only service providers such as ISPs and hosting companies but also a wide range of network administrators including companies and universities is indispensable. This is because the stable operation of DNS can be realized by the smooth operation of the DNS client that operates on the user side, the cache DNS server that is in charge of name resolution, and the authoritative DNS server that manages the information of each domain name. ..

In the management and operation of the DNS server, the three points of "separation of the cache DNS server and the authoritative DNS server", "limitation of the service provision range in the cache DNS server", and "stopping the cache DNS server function in the authoritative DNS server" are now. It can be said that it is an essential item. On top of that, if you need to manage large amounts of data that can be used for attacks such as SPF, DKIM, and DNSSEC, please also consider introducing DNS RRL to an authoritative DNS server. The "JPRS Topics & Columns" article published by JPRS summarizes the importance of these measures in an easy-to-understand manner.

▼ Kihon for improving the security and stability of DNS-Is your DNS server okay? ~ (JPRS, PDF)

The Internet has become an integral part of our daily lives. We would like to ask for the wide cooperation of network administrators for the stability.