[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
Roy Arends
roy at dnss.ec
Tue Jul 11 16:36:53 UTC 2006
On Mon, 10 Jul 2006, David Ulevitch wrote:
> On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
>
>> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>> Rick Wesson <wessorh at ar.com> wrote
>> a message of 36 lines which said:
>>
>>> The ORNs discussed in the papers you reference below are for the
>>> most part ones that are open but not managed as open. ie their
>>> managers think that they are closed but in fact are not. These [in
>>> mass] do pose a threat.
>>>
>>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>>> supposed to be open but that are.
>>
>> Correct but what does it change in practice. OpenDNS knows that
>> it is open, but how does it make it less vulnerable?
>>
>> Do they implement rate-limiting, for instance?
>
> I actually thought Rick's answer was pretty much perfect. But I'll
> add some comments now:
>
> There's a lot you can do when you are running an anycasted recursive
> nameserver to detect things happening in flash-mob style and in the
> wild.
> Please think about this idea for a while before responding.
ORNs can be abused to victimize _others_. It is trivial to send requests
to an Open Recursive Nameserver like OpenDNS, with a source address of
some victim.
Imagine a recruited army of 50K clients, sending requests to a list of
ORNs at a rate of 10K requests per client, all with the same spoofed
source address asking for large responses (say the root NS set). This will
cause a steady stream of 250K traffic to a victim. This is not theory.
This caused major incidents.
Roy
More information about the dns-operations
mailing list