The Shadowserver Foundation is compiling a list of recursive DNS servers in a bid to reduce the risk of large distributed denial of service attacks.
DNS amplification was behind the series of distributed denial of service attacks billed by the popular press as the world's biggest cyber attack.
Those attacks saw some 300Gbps of data sent by a coalition of bulletproof hosters against anti-spam outfit Spamhaus, an outfit which maintained a blacklist of hosting providers affiliated with cybercrime.
One of those fingered as a key player in the attacks described the power of the attacks to members of cybercrime forum Darkode.
“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” user Off-sho.re wrote a day ahead of the Spamhaus attacks, as reported by infosec reporter Brian Krebs.
“The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.”
The attacks have existed for years and work by overloading servers with Domain Name Server response traffic. Specifically, attackers send a DNS name lookup request to an open recursive DNS server and spoof the source address so that record responses were served to a target victim.
These responses were bigger than the requests, which gave rise to the amplification effect. The power is further enhanced when botnets were used to conduct mass DNS queries.
Meanwhile, network operators have little recourse to block the attacks other than to have spoofed requests blocked upstream.
Shadowserver, a non-profit cybercrime intelligence group composed of whitehat security professionals, says the open servers should be locked down.
So far, the group's search for public recursive DNS servers through the open resolver scanning project found that as of 9 May about 9.9 million of 13.7 million responding servers were available to amplification attacks.
The countries playing host to the most offending servers were China, the US, and Taiwan.
The group explained it was "querying all computers with routable IPv4 addresses -- not firewalled from the internet on port 53/udp -- with a request for the 'A' record of dnsscan.shadowserver.org, capturing the response from the DNS server and parsing the result".
The research was beneficial to security professionals and IT administrators, according to IPSec director of operations Ben Robson.
“The way they are approaching their scanning appears to be well thought out and well executed,” Robson said.
“By keeping the rate of testing down to a reasonable level they are able to assess the world’s domain name servers without placing too much demand on the target environments.”
But he warns that the lack of coordination between such research efforts -- and there were already several organisations that held lists on recursive servers -- could push administrators to block the traffic in turn affecting results.
Robson deliberately running recursive servers, ignorant of the fact that they were or of the risks it posed, or simply uninterested in switching the feature off.
Many administrators could already be aware of the problem caused by recursive servers. A problem, according to Sense of Security chief technical officer Jason Edelstein, was that they gave remediation of the issue a lower priority than the need to address other vulnerabilities that have potential customer impact.
"We have found these in penetration tests we have done, but for admins it's not really a priority; if your server is used [in an attack] it does not really impact you," he said.
"It is such an old known issue, but then again do the administrators know they have vulnerable configs?"
But respected researcher and Rapid 7 chief security officer HD Moore said attackers would move onto new methods to launch DDoS if recursive servers were remediated.
"They'll move onto something else like SNMP for amplification if recursive servers are taken care of," he said speaking at the AusCERT conference on the Gold Coast today.
Shadowserver will incorporate the findings into its future reports to raise awareness.
