How dangerous can be an open DNS resolver

O_R2_Map
    Almost every IT specialist knows that open recursive DNS server can be very dangerous but I’ve never seen any example what happens and how fast it will be utilized in inappropriate way. These were interesting questions for me and I decided to make a small study and opened my DNS server for everybody in Internet. The results were amazing. In this article you can read about my study.

Short overview of the DNS protocol and DNS based attacks.

    DNS is used for transforming human readable domain names (e.g. ipvm.biz) into the machine usable form of IP-addresses (e.g. 1.2.3.4). IP addresses are used for communications in Internet. Other protocols like TCP or UDP run on top of the IP protocol. TCP/IP is a stateful protocol and UDP/IP is a stateless protocol.

    Attackers use such principles for DNS based attacks:

  • During standard DNS resolving UDP/IP protocol is used. Computers do not establish reliable (stateful) connection with the remote DNS server and just wait some time for a response. Hackers can spoof IP-address in the IP packet;
  • The size of a respond packet from DNS server usually is bigger than the size of a request. EDNS0 technology supports the size of DNS packets up to 4Kb.

    At this moment about 6 million open resolvers are daily available and accessible all around the world. The table and the picture below were taken from https://dnsscan.shadowserver.org/ site which daily checks networks for open resolvers.

Country Total
China 1,937,220
United States 562,643
Korea, Republic of 530,331
Taiwan 410,193
Brazil 313,272
Russian Federation 243,518

 

Open_Resolver_Map

    So you can see that DNS can be easily utilized for attacks. These DNS attacks and DNS misusage are identified:

  • Cache Poisoning, Man-in-the-Middle;
  • DNS Amplification;
  • DNS Reflection;
  • Distributed reflection DoS (DrDoS);
  • DNS-based exploits;
  • Protocol anomalies;
  • DNS tunneling;
  • DNS hijacking;
  • NXDOMAIN;
  • Phantom domain.

Description of my testing environment

    My DNS server is located in Germany, has stable 1Gb/s Ethernet connection and for the last 4 years it served authoritative DNS. One month before the study I migrated my server to a new platform, so the IP-addresses were changed. In authoritative mode it received no more than 2 queries per second (QPS) and in average less than 0.5. 
    I used Infoblox Trinzic v820 as a DNS server,Infoblox Trinzic Reporting v800-1G for standard reports and my own reporting system (written by myself) for the deep data analysis. Domains which were used for attacks were blocked on a DNS Firewall. Maximum QPS rate was limited after 5 months.

Objectives

    I defined several questions which should be answered during the study:

  • How fast will my DNS server receive first recursive query;
  • How fast will it receive inappropriate requests;
  • Measure medium and maximum QPS under attack;
  • Find victims;
  • Find infected networks;
  • Find out domains and requests which are used for attacks;
  • Try to identify types of the attacks;
  • How long my server will be used when I turn off my open resolver.

Results

    Just for the first week my server received 416k requests for 63 domains from 1169 IPs.  During 5 months (3 months it was open) it received about 46 millions requests. Below you can see the graph for the first week.

QPS

 

How fast will my DNS server receive first recursive query

    My DNS received first recursive request from China after 1 hour 20 minutes (domain: www.google.it). I’ve checked log-files and found that my server periodically received such recursive requests before. So attackers periodically scan network and search for new vulnerable devices.

How fast will it receive inappropriate requests

    First DNS-amplification attack was fixed  after 1 day (domain: webpanel.sk, 300 requests).

Measure medium and maximum QPS under attack

    Maximum QPS limited only by server capacity. The maximum QPS was 3080. All requests were sent with amplification. So at this moment my server utilized about 96Mb/s (3080X4Kb =96Mb/s). The graph which you can see below was produced in my analytical system. It shows maximum QPS. 

O_R2_QPS

Find victims and infected networks

    I’m sure that 99% requests were spoofed and used for DrDoS attacks. Some domains (doleta.gov, energystar.gov, ebay.de) were used for attacks and at same moment can be also under attack. Below you can see information about attacked countries and cities. Information about countries and cities can be easily extracted from MaxMind IP geolocation database.

O_R2_Countires

    In table below you can find information about attacked companies. This information was extracted from whois service and ripe database. The most interesting rows in the table are “Time Warner Cable Internet LLC”, “Akamai Technologies, Inc.” and “AT&T Internet Services”. The quantity of the requests is relatively small but the quantity of the IP-addresses is very high. It can means that the networks of these organizations were infected with a malware or a botnet. The most interesting thing to find the control center of such botnet but it is hard to detect. In this case we have to analyze all requests and try to IPs which requested small q-ty domains. Thresholds are unknown.

Country Company Q-ty requests Q-ty IPs
United States SoftLayer Technologies Inc. 3965202 36
United States SingleHop, Inc. 2617987 27
United States PSINet, Inc. 1994461 22
France OVH SAS 1051080 304
United Kingdom Hosting Services Inc 938367 4
Germany 1&1 Internet AG 761020 12
United States PrivateSystems Networks 748641 4
Russian Federation OJSC Rostelecom Ticket 09-39331, RISS 15440, UrF 687028 1
United States Time Warner Cable Internet LLC 671211 1568
Canada OVH Hosting, Inc. 592920 213
United States Akamai Technologies, Inc. 176327 4410
China China Telecom 51565 207
United States AT&T Internet Services 27502 854

Find out domains and requests which are used for attacks

    Attackers used about 15 different domains for attacks. So it is relatively simple to identify and block such domains. Information about domains and requests are available in table below.

Domain Query Flags Q-ty requests
webpanel.sk ANY +E 14962032
oggr.ru ANY +E 8300693
energystar.gov ANY +E 6676350
doleta.gov ANY +E 6326853
067.cz ANY +E 2463053
sema.cz ANY +E 1251206
GUESSINFOSYS.COM ANY +E 690320
jerusalem.netfirms.com ANY +E 587534
paypal.de ANY +E 454756
nlhosting.nl ANY +E 414113
freeinfosys.com ANY +E 352233
krasti.us ANY +E 333806
doc.gov ANY +E 259248
svist21.cz ANY +E 231946
wradish.com ANY +E 117294

 

Try to identify types of the attacks

    During the study I identified DrDoS, Protocol anomalies and maybe Cache Poisoning. A graph below clearly shows an amplification attack. Blue line is an incoming traffic and yellow is an outgoing traffic. 4    For DrDoS attacks used “ANY” request with EDNS0. Below you can see information about request types and used flags.

Request Flags Q-ty requests
ANY +E 43500439
A -ED 17339
ANY + 11932
A 9853
A -EDC 8956
AAAA -EDC 4749
AAAA -ED 4467
ANY 2289
A +E 1899
RRSIG +E 1124

    DNS server statistics contained information about several requests with wrong port and query ID. So it looks like that somebody tried to poison the cache. These requests can rely to the Cache poisoning or NXDOMAIN attacks:

  • ndnaplaaaaeml0000dgaaabbaaabgnli.energystar.gov;
  • mmokojaaaaeml0000dgaaabbaaabgclm.doleta.gov;
  • oaanjeaaaaesc0000deaaabbaaabicoc.webpanel.sk;
  • cnklipaaaaesh0000claaabbaaabfgoa;
  • 2d852aba-7d5f-11e4-b763-d89d67232680.ipvm.biz.

How long my server will be used when I turn off my open resolver

    When I turned off open resolver it received inappropriate requests during next 1.5 months.

Conclusions

  • Any DNS server is a cool tool for analyzing users and malware behavior;
  • Analysis of DNS-logs can improve quality of DNS service;
  • A lot of requests «ANY +E» shows that your server is under an attack/participate in an attack;
  • Small quantity of domains are used for attacks. You can block it with blacklists or DNS Firewall and decrease load of DNS Servers and network utilization;
  • Long DNS-names used for attacks. You should check client if it is possible.

    And in the end I want to share my short video about DNS attacks. Have fun!

 (с) Vadim Pavlov