SlideShare una empresa de Scribd logo

The curse of the open recursor

Tom Paseka
Tom Paseka
Tecnología
1 de 27
Tom Paseka The curse of the Open Recursor Network Engineer tom@cloudflare.com
Recursors Why? •  Exist to aggregate and cache queries •  Not every computer run its own recursive resolver. •  ISPs, Large Enterprises run these •  Query through the root servers and DNS tree to resolve domains •  Cache results •  Deliver cached results to clients. www.cloudflare.com 2
Recursors The Problem! •  Example of DNS Based reflection attack from a Peer in Hong Kong. www.cloudflare.com 3
Recursors Open / Unsecured Recursors ? •  DNS server set up for recursion •  ie. non-authoritative •  Will answer for zones it is not authoritative for •  Recursive lookups •  Will answer queries for anyone •  Some Public Services: 
 Google, OpenDNS, Level 3, etc. •  These are “special” set-ups and secured. www.cloudflare.com 4
Recursors Say Again? •  There are hundreds of thousands of DNS Recursors. •  Many of these are not secured. •  Non secured DNS Recursors can and will be abused •  CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. www.cloudflare.com 5
What is a Reflection Attack?
Reflection Attack •  UDP Query •  Spoofed source •  Using the address of the person you want to attack •  DNS Server used to attack the victim (sourced address) •  Amplification used •  Querying domains like ripe.net or isc.org •  ~64 byte query (from attacker) •  ~3233 byte reply (from unsecured DNS Server) •  50x amplification! •  Running an unsecured DNS server helps attackers! www.cloudflare.com 7
Reflection Attack Attacker Attack Target ANY ANY ANY isc.org isc.org isc.org Large Large Large Large Large Large Reply Reply Reply Reply Reply Reply Unsecured DNS Unsecured DNS Recursors Recursors Large Large Large Reply Reply Reply Unsecured DNS www.cloudflare.com 8 Recursors
Reflection Attack •  With 50x amplification: •  1Gbit uplink from attacker (eg: Dedicated Servers) •  50Gbit attack •  Enough to bring most services offline! •  Prevention is the best remedy. •  In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. •  At just 1Mbit each, that’s 80Gbit! •  1mbit of traffic may not be noticed by most operators. •  80Gbit at target is easily noticed! www.cloudflare.com 9
Where are they coming from?
Where are the open Recursors? • Nearly Everywhere! •  CloudFlare has seen DNS Reflected attack traffic from: •  27 out of 56 Economies in APNIC Region •  More attacks from higher populated economies. www.cloudflare.com 11
Where are the open Recursors? www.cloudflare.com 12
Where are the open Recursors? www.cloudflare.com 13
Where are the open Recursors? www.cloudflare.com 14
Where are the open Recursors? www.cloudflare.com 15
Where are the open Recursors? www.cloudflare.com 16
Where are the open Recursors? www.cloudflare.com 17
Where are the open Recursors? Open Open Country   Country   Recursors   Recursors   Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 www.cloudflare.com 18
Where are the open Recursors? Some Networks: Open Country ASN Network Name Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 www.cloudflare.com 19
Where are the open Recursors? •  Where are they running? Mostly on Servers.
 ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router)
 
 www.cloudflare.com 20
How to fix this?
Fixing this? Preventative Measures! •  BCP-38 •  Source Filtering. •  You shouldn’t be able to spoof addresses. •  Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop •  Will also help stop other attack types •  (eg: Spoofed Syn Flood). www.cloudflare.com 22
Fixing this? Preventative Measures! •  DNS Server Maintenance
 •  Secure the servers! •  Lock down recursion to your own IP addresses 
 •  Disable recursion •  If the servers only purpose is authoritative DNS, disable recursion •  Turn them off! •  Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. www.cloudflare.com 23
Fixing this? Consumer Internet Routers / Modems •  Update firmware. •  Some older firmware has security bugs •  Allows administration from WAN (including DNS, SNMP) •  Does the feature need to be on? •  Make sure its set up properly www.cloudflare.com 24
Fixing this? Information •  BCP-38: http://tools.ietf.org/html/bcp38
 •  BIND:
 http://www.team-cymru.org/Services/Resolvers/ instructions.html
 •  Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx www.cloudflare.com 25
26 Questions?
27 Thank You

Recomendados

Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapTom Paseka
 
Routing for an Anycast CDN
Routing for an Anycast CDNRouting for an Anycast CDN
Routing for an Anycast CDNTom Paseka
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 

Recomendados

Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapTom Paseka
 
Routing for an Anycast CDN
Routing for an Anycast CDNRouting for an Anycast CDN
Routing for an Anycast CDNTom Paseka
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaAPNIC
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoMyNOG
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaMyNOG
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open SourceGleb Smirnoff
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksAPNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PROIDEA
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysisSanket Jain
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional MarketsTom Paseka
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiMyNOG
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017APNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPROIDEA
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
set & logo
set & logoset & logo
set & logoMasoumeh Shokri
 
Impresa italia bari
Impresa italia bariImpresa italia bari
Impresa italia bariImpresa Italia
 

Más contenido relacionado

La actualidad más candente

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaAPNIC
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoMyNOG
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaMyNOG
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open SourceGleb Smirnoff
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksAPNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PROIDEA
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysisSanket Jain
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional MarketsTom Paseka
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiMyNOG
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017APNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPROIDEA
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 

La actualidad más candente (20)

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access Networks
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysis
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom Paseka
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional Markets
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn Ooi
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 

Destacado

Global Health Symposium Poster
Global Health Symposium PosterGlobal Health Symposium Poster
Global Health Symposium PosterJanet Jansen
 
Searching services in cities of italy
Searching services in cities of italySearching services in cities of italy
Searching services in cities of italyImpresa Italia
 
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...David Anaya Orellano
 
Proyecto de responsabilidad social vii
Proyecto de responsabilidad social viiProyecto de responsabilidad social vii
Proyecto de responsabilidad social viiRonny Larico
 
Holography & its applications
Holography & its applicationsHolography & its applications
Holography & its applicationsBisma Princezz
 

Destacado (8)

set & logo
set & logoset & logo
set & logo
 
Impresa italia bari
Impresa italia bariImpresa italia bari
Impresa italia bari
 
Global Health Symposium Poster
Global Health Symposium PosterGlobal Health Symposium Poster
Global Health Symposium Poster
 
Searching services in cities of italy
Searching services in cities of italySearching services in cities of italy
Searching services in cities of italy
 
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
 
Proyecto de responsabilidad social vii
Proyecto de responsabilidad social viiProyecto de responsabilidad social vii
Proyecto de responsabilidad social vii
 
Holography & its applications
Holography & its applicationsHolography & its applications
Holography & its applications
 
Importancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerolaImportancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerola
 

Similar a The curse of the open recursor

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud Nitinder Mohan
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...DataStax Academy
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceEvan McGee
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 

Similar a The curse of the open recursor (20)

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
 
Cdn cs6740
Cdn cs6740Cdn cs6740
Cdn cs6740
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 

Más de Tom Paseka

Peering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in PeeringPeering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in PeeringTom Paseka
 
The New Edge of the Network
The New Edge of the NetworkThe New Edge of the Network
The New Edge of the NetworkTom Paseka
 
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?Tom Paseka
 
Detecting spoofing at IxP's
Detecting spoofing at IxP'sDetecting spoofing at IxP's
Detecting spoofing at IxP'sTom Paseka
 
Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017Tom Paseka
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetTom Paseka
 
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionKINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionTom Paseka
 
BBIX Asia Internet
BBIX Asia InternetBBIX Asia Internet
BBIX Asia InternetTom Paseka
 
New Zealand and the world as a CDN
New Zealand and the world as a CDNNew Zealand and the world as a CDN
New Zealand and the world as a CDNTom Paseka
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013Tom Paseka
 
Unicast vs Anycast
Unicast vs AnycastUnicast vs Anycast
Unicast vs AnycastTom Paseka
 

Más de Tom Paseka (12)

Peering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in PeeringPeering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in Peering
 
The New Edge of the Network
The New Edge of the NetworkThe New Edge of the Network
The New Edge of the Network
 
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
 
Detecting spoofing at IxP's
Detecting spoofing at IxP'sDetecting spoofing at IxP's
Detecting spoofing at IxP's
 
Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internet
 
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionKINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
 
BBIX Asia Internet
BBIX Asia InternetBBIX Asia Internet
BBIX Asia Internet
 
New Zealand and the world as a CDN
New Zealand and the world as a CDNNew Zealand and the world as a CDN
New Zealand and the world as a CDN
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013
 
nanog
nanognanog
nanog
 
Unicast vs Anycast
Unicast vs AnycastUnicast vs Anycast
Unicast vs Anycast
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

The curse of the open recursor

  • 1. Tom Paseka The curse of the Open Recursor Network Engineer tom@cloudflare.com
  • 2. Recursors Why? •  Exist to aggregate and cache queries •  Not every computer run its own recursive resolver. •  ISPs, Large Enterprises run these •  Query through the root servers and DNS tree to resolve domains •  Cache results •  Deliver cached results to clients. www.cloudflare.com 2
  • 3. Recursors The Problem! •  Example of DNS Based reflection attack from a Peer in Hong Kong. www.cloudflare.com 3
  • 4. Recursors Open / Unsecured Recursors ? •  DNS server set up for recursion •  ie. non-authoritative •  Will answer for zones it is not authoritative for •  Recursive lookups •  Will answer queries for anyone •  Some Public Services: 
 Google, OpenDNS, Level 3, etc. •  These are “special” set-ups and secured. www.cloudflare.com 4
  • 5. Recursors Say Again? •  There are hundreds of thousands of DNS Recursors. •  Many of these are not secured. •  Non secured DNS Recursors can and will be abused •  CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. www.cloudflare.com 5
  • 6. What is a Reflection Attack?
  • 7. Reflection Attack •  UDP Query •  Spoofed source •  Using the address of the person you want to attack •  DNS Server used to attack the victim (sourced address) •  Amplification used •  Querying domains like ripe.net or isc.org •  ~64 byte query (from attacker) •  ~3233 byte reply (from unsecured DNS Server) •  50x amplification! •  Running an unsecured DNS server helps attackers! www.cloudflare.com 7
  • 8. Reflection Attack Attacker Attack Target ANY ANY ANY isc.org isc.org isc.org Large Large Large Large Large Large Reply Reply Reply Reply Reply Reply Unsecured DNS Unsecured DNS Recursors Recursors Large Large Large Reply Reply Reply Unsecured DNS www.cloudflare.com 8 Recursors
  • 9. Reflection Attack •  With 50x amplification: •  1Gbit uplink from attacker (eg: Dedicated Servers) •  50Gbit attack •  Enough to bring most services offline! •  Prevention is the best remedy. •  In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. •  At just 1Mbit each, that’s 80Gbit! •  1mbit of traffic may not be noticed by most operators. •  80Gbit at target is easily noticed! www.cloudflare.com 9
  • 10. Where are they coming from?
  • 11. Where are the open Recursors? • Nearly Everywhere! •  CloudFlare has seen DNS Reflected attack traffic from: •  27 out of 56 Economies in APNIC Region •  More attacks from higher populated economies. www.cloudflare.com 11
  • 12. Where are the open Recursors? www.cloudflare.com 12
  • 13. Where are the open Recursors? www.cloudflare.com 13
  • 14. Where are the open Recursors? www.cloudflare.com 14
  • 15. Where are the open Recursors? www.cloudflare.com 15
  • 16. Where are the open Recursors? www.cloudflare.com 16
  • 17. Where are the open Recursors? www.cloudflare.com 17
  • 18. Where are the open Recursors? Open Open Country   Country   Recursors   Recursors   Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 www.cloudflare.com 18
  • 19. Where are the open Recursors? Some Networks: Open Country ASN Network Name Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 www.cloudflare.com 19
  • 20. Where are the open Recursors? •  Where are they running? Mostly on Servers.
 ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router)
 
 www.cloudflare.com 20
  • 21. How to fix this?
  • 22. Fixing this? Preventative Measures! •  BCP-38 •  Source Filtering. •  You shouldn’t be able to spoof addresses. •  Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop •  Will also help stop other attack types •  (eg: Spoofed Syn Flood). www.cloudflare.com 22
  • 23. Fixing this? Preventative Measures! •  DNS Server Maintenance
 •  Secure the servers! •  Lock down recursion to your own IP addresses 
 •  Disable recursion •  If the servers only purpose is authoritative DNS, disable recursion •  Turn them off! •  Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. www.cloudflare.com 23
  • 24. Fixing this? Consumer Internet Routers / Modems •  Update firmware. •  Some older firmware has security bugs •  Allows administration from WAN (including DNS, SNMP) •  Does the feature need to be on? •  Make sure its set up properly www.cloudflare.com 24
  • 25. Fixing this? Information •  BCP-38: http://tools.ietf.org/html/bcp38
 •  BIND:
 http://www.team-cymru.org/Services/Resolvers/ instructions.html
 •  Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx www.cloudflare.com 25