This has been a rough week in the security industry with big attacks and compromises reported at companies from Facebook to Apple. We're therefore happy to end the week with some good news: the web's open resolvers, one of the sources of the biggest DDoS attacks, are getting closed.
Sad State of Affairs
Last October, we wrote a blog post about DDoS amplification attacks. This type of attack makes up some of the largest DDoSs CloudFlare sees, sometimes exceeding 100 gigabits per second (100Gbps). The attacks use DNS resolvers that haven't been properly secured in order to "amplify" the resources of the attacker. An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data.
The problem stems from misconfigured DNS resolver software (e.g., BIND) that is setup to respond to a query from any IP address. Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses.
Closing the Open Resolvers
While CloudFlare's network is very good at absorbing even these large attacks, the long term solution for the web is for providers to clean up the open resolvers running on their networks. We wanted to help with that so we engaged in a bit of name-and-shame at the end of the last blog post, listing the networks with the largest number of open resolvers. The good news is it worked: almost four months later our tests show that the number of open resolvers across the Internet is down more than 30%. The chart below shows the progress individual networks have made in cleaning up the problem.
| ASN | Network | 10/30/12 | 2/22/13 | % Change |
|---|---|---|---|---|
| 21844 | THEPLANET-AS - ThePlanet.com Internet Services, In | 2925 | 2216 | -24% |
| 3462 | HINET Data Communication Business Group | 2739 | 2213 | -19% |
| 36351 | SOFTLAYER - SoftLayer Technologies Inc. | 1075 | 781 | -27% |
| 9394 | CRNET CHINA RAILWAY Internet(CRNET) | 1052 | 774 | -26% |
| 4713 | OCN NTT Communications Corporation | 1044 | 722 | -31% |
| 45595 | PKTELECOM-AS-PK Pakistan Telecom Company Limited | 1030 | 716 | -30% |
| 4134 | CHINANET-BACKBONE No.31,Jin-rong Street | 970 | 705 | -27% |
| 33182 | DIMENOC - HostDime.com, Inc. | 940 | 638 | -32% |
| 7018 | ATT-INTERNET4 - AT&T Services, Inc. | 934 | 624 | -33% |
| 24940 | HETZNER-AS Hetzner Online AG RZ | 872 | 593 | -32% |
| 26496 | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC | 855 | 560 | -35% |
| 20773 | HOSTEUROPE-AS Host Europe GmbH | 835 | 517 | -38% |
| 16276 | OVH OVH Systems | 803 | 511 | -36% |
| 13768 | PEER1 - Peer 1 Network Inc. | 707 | 421 | -40% |
| 14383 | VCS-AS - Virtacore Systems Inc | 596 | 420 | -30% |
| 32613 | IWEB-AS - iWeb Technologies Inc. | 585 | 367 | -37% |
| 23352 | SERVERCENTRAL - Server Central Network | 577 | 350 | -39% |
| 2514 | INFOSPHERE NTT PC Communications, Inc. | 561 | 341 | -39% |
| 2519 | VECTANT VECTANT Ltd. | 531 | 326 | -39% |
| 15003 | NOBIS-TECH - Nobis Technology Group, LLC | 521 | 322 | -38% |
| 22773 | ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc | 484 | 315 | -35% |
| 6830 | LGI-UPC UPC Broadband Holding B.V. | 453 | 307 | -32% |
| 12322 | PROXAD Free SAS | 449 | 299 | -33% |
| 21788 | NOC - Network Operations Center Inc. | 442 | 295 | -33% |
| 17506 | UCOM UCOM Corp. | 422 | 293 | -31% |
| 6939 | HURRICANE - Hurricane Electric, Inc. | 414 | 284 | -31% |
| 16265 | LEASEWEB LeaseWeb B.V. | 407 | 284 | -30% |
| 3269 | ASN-IBSNAZ Telecom Italia S.p.a. | 402 | 281 | -30% |
| 29550 | SIMPLYTRANSIT Simply Transit Ltd | 392 | 271 | -31% |
| 19262 | VZGNI-TRANSIT - Verizon Online LLC | 390 | 262 | -33% |
Kudos
A few other organizations deserve a special shout out for helping with this effort. The great folks at Team Cymru have been tracking open resolvers and other badness online since before CloudFlare was even an idea. Their consistent efforts in this area have been awesome and we're in the process of partnering with them to help get the word out.
In addition, SoftLayer has been especially vocal and active in spearheading clean up efforts on its network. As they pointed out in a great blog post, because of the size and nature of their network, it's often difficult for them to police the configuration of software their customers run. Even so, they are actively reaching out to customers to educate them about the dangers of running open resolvers on their networks.
We greatly appreciate country CERTs/CSIRTs and various Information Sharing and Analysis Centers (ISACs) reaching out to us offering to get in touch with some of the less responsive network providers.
Going forward, we are happy to provide the IP addresses running open resolvers directly to any network provider that is interested in cleaning up their networks. If you're running a network on the list above, please don't hesitate to reach out to us and we'll get you the data you need to help with cleanup.