Waiting for The Big One
August 16 2010 by 
Cricket Liu (Infoblox)
Whenever seismic activity picks up somewhere in the world, our local press here in California like to point out that we’re overdue for The Big One. They cite how frequently, on average, large earthquakes occur on the various faults that we cross on our daily commutes and note that it’s been many times that long since those faults have experienced a major tremor. Then they cut to footage of the aftermath of the Northridge or Loma Prieta earthquake or the movie “2012” and remind you to stock up on canned food, drinking water and ammunition. Sensationalist, sure, but relatively tame when compared with most of the fear mongering they use to try to boost ratings.
I’m waiting for The Big One to strike the Internet.
Over the past several years, we’ve seen some large Distributed Denial of Service attacks against Internet infrastructure, including DNS. In fact, as recently as August 6th, the DNS hosting provider DNS Made Easy was hit with a DDoS attack that they estimated at “over 50 Gbps.”
It’s not difficult for a hacker to muster the resources necessary to generate that much traffic. One way to mount a big DDoS attack is to use open recursive name servers: Send one a tiny (less than 100 byte) query for the right RRset and it’ll reply with a DNS message of 4KB or so. That’s 40x amplification. Spoof the source address of the query and you can send those responses wherever you like. Or to whomever you don’t like.
So then the only trick is assemble enough open recursive name servers to make your DDoS attack really lethal. Lucky for you, they’re not hard to find. In our latest DNS survey, The Measurement Factory found that roughly 80% of the estimated 12 million name servers on the Internet were open to recursion. Say you find 10,000 of them, and can send each one 1000 spoofed queries per second. Assuming the responses are close to 4KB, that’s 40 Gbps.
That’s enough bandwidth to swamp all but the largest carriers and infrastructure providers—and it’d be trivial for the big botnets to pull off. The Storm botnet—one of the biggest—is conservatively thought to contain 160,000 infected computers. Assuming modest, 1Mbps ADSL connections, each one of those could generate as many as 10,000 queries per second. You do the math.
We have a few tools in our arsenal to combat DDoS attacks, but not as many as we need. Anycast helps, because any one botnet-controlled computer can only “see” (and therefore attack) a single node in an anycast group. Ingress filtering would help, but too few ISPs do it. There’s no surefire protection against DDoS, though.
Which leaves us all vulnerable, and awaiting The Big One.
Posted in DNS Security | DNS Survey | 
2 comments
Aug 19, 2010 at 8:02 AM
Hi Cricket, what is being done to shore up the 80% open to recursion. It does not look like companies and individuals are stepping up to secure their servers so what can be done from an external position such as yourself? Can anything be done externally to prevent recursion?
Aug 19, 2010 at 9:13 AM
Good question, Larry. The 80% result represented a huge spike over the previous year, so I asked The Measurement Factory for an explanation. Turns out there were concentrations of open recursors in netblocks owned by France Telecom and Telefonica (Spain's biggest carrier). Our theory is that those carriers deployed some customer premises equipment that includes an embedded name server--which is open to recursion. We'd meant to contact the carriers to investigate but never got around to it. Now that it's almost time to start the 2010 survey, we ought to do that!