JPCERT-AT-2013-0022
JPCERT/CC
2013-04-18
<<< JPCERT/CC Alert 2013-04-18 >>>
DDoS attacks using recursive DNS requests
http://www.jpcert.or.jp/english/at/2013/at130022.html
I. Overview
JPCERT/CC has received reports from overseas CSIRT's regarding DDoS
attacks leveraging DNS cache servers in Japan.
According to the attacks reported to JPCERT/CC, attackers are using
DNS cache servers (herein 'open resolvers') that allow recursive
requests to conduct DNS amplification attacks. Attackers send
recursive requests to the open resolver by spoofing the IP address of
the target device to send a massive number of response packets or
response packet of large size to the target of a DDoS attack (e.g. a
web site).
Open resolvers that accept recursive requests from external sources
may be exploited to participate in a DDoS attack. Also there is a
possibility that network devices or software products have an embedded
DNS server that users are not aware and may be used as an open
resolver.
We recommend checking whether a DNS cache server is running on your
server or network device, and change the configuration accordingly.
II. Products Affected
Products such as servers and network devices that accept recursive
DNS requests from external sources are affected.
- DNS cache servers
- Network devices with a DNS cache server running
Also some software products may automatically install a DNS server and
may run as an open resolver without the user knowing.
III. Solution
Check all cache servers that accept recursive requests under
administration and restrict access so that the effects of an attack
can be minimized. Also, it is recommended to check the configuration
of the DNS server to ensure that it is running as intended.
For more details, please refer to the following:
JPRS
Countermeasures for DDoS attacks using DNS recursive requests (Japanese only)
http://jprs.jp/tech/notice/2006-03-29-dns-cache-server.html
IV. References
JPNIC
About Open Resolvers (Japanese only)
https://www.nic.ad.jp/ja/dns/openresolver/
JPRS
About "Open Resolvers" - Improper DNS server settings (Japanese only)
http://jprs.jp/important/2013/130418.html
JPCERT/CC
[This week's one point memo] Warning about DNS server settings (Japanese only)
https://www.jpcert.or.jp/tips/2013/wr131201.html
US-CERT
DNS Amplification Attacks
https://www.us-cert.gov/ncas/alerts/TA13-088A
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top