RIPE: Attacks on domain name systems are on the increase
30 million open resolvers in the domain name system and a 200 per cent increase in the number of attacks in 2012 – these alarming figures were discussed by administrators at the 66th meeting of the RIPE IP address registry in Dublin this week. A panel discussion revolved around how to motivate the black sheep to implement long overdue security measures before large-scale attacks call the regulators to action.
Recommendations on how to avoid address spoofing – such as asking manufacturers not to factory-set their devices to be available as open resolvers, and various calls for "network hygiene" by RIPE members – are up to a decade old. While attackers regularly employ the latest technologies, the internet on the whole is lagging behind. "They always run the latest code, but we can't dictate that our customers do the same", said Thomas Eberman from Infoblox.
Financial pressure and lack of expertise make any measures that don't directly affect a company's bottom line appear less attractive – such as filtering out spoofed addresses or major hosting companies reconfiguring any open recursive resolvers at their clients' end. Some people simply don't care, said Merike Kaeo. The security expert also expressed her doubts about the statement that only 20 per cent of recursive resolvers are open. In her opinion, the number is higher. Even mobile phones with a tethered internet connection could become open resolvers, she added.
Several registries – including VeriSign, ICANN, and the Dutch SIDN and French AfNIC registries – have admitted that they no longer respond to every request that is sent to their authoritative servers. Many experts consider this to be the largest threat by far – powerful DNS resources being targeted to launch attacks. Even cryptographic DNSSEC domain security measures are being exploited. With the appropriate keys, victims are hit with a number of responses that is several hundred times higher than the number of requests that can be forged via the systems of unsuspecting third parties or cheap cloud servers. So far, existing surplus capacities have usually protected the internet from worst-case scenarios. Now, central infrastructure service operators are among those whose warnings are becoming louder in response to an increasing number of attacks.
Thorsten Dietrich, who represented the German Federal Office for Information Security (BSI) at the RIPE meeting, thinks that filtering out spoofed addresses is no longer a major problem for German ISPs. "What's annoying are the open resolvers at large hosting services," Dietrich said, adding that the BSI plans to place a stronger focus on this issue in the near future. His statement was welcomed by Wilhelm Boeddighaus from Strato, one of the hosting services that could potentially find itself in the BSI's firing line.