[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
Roy Arends
roy at dnss.ec
Tue Jul 11 16:33:31 UTC 2006
On Jul 10, 2006, at 11:15 PM, David Ulevitch wrote:
> On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
>
>> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>> Rick Wesson <wessorh at ar.com> wrote
>> a message of 36 lines which said:
>>
>>> The ORNs discussed in the papers you reference below are for the
>>> most part ones that are open but not managed as open. ie their
>>> managers think that they are closed but in fact are not. These [in
>>> mass] do pose a threat.
>>>
>>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>>> supposed to be open but that are.
>>
>> Correct but what does it change in practice. OpenDNS knows that
>> it is open, but how does it make it less vulnerable?
>>
>> Do they implement rate-limiting, for instance?
>
> I actually thought Rick's answer was pretty much perfect. But I'll
> add some comments now:
>
> There's a lot you can do when you are running an anycasted recursive
> nameserver to detect things happening in flash-mob style and in the
> wild.
> Please think about this idea for a while before responding.
ORNs can be abused to victimize _others_. It is trivial to send
requests to an Open Recursive Nameserver like OpenDNS, with a source
address of some victim.
Imagine a recruited army of 50K clients, sending requests to a list
of ORNs at a rate of 10K requests per client, all with the same
spoofed source address asking for large responses (say the root NS
set). This will cause a steady stream of 250K traffic to a victim in
a worst case scenrario. This is not theory. This has caused and is
causing major incidents.
Roy
More information about the dns-operations
mailing list