Is your dedicated server being used for DDoS attacks?

Posted by Drew Weaver on Thu, Mar 28, 2013 @ 08:57 AM

First, let me welcome you to the new XLHost blog and introduce myself. I am Drew Weaver, Chief Technical Officer at XLHost. If you're a customer of XLHost we have most likely interacted at some point in the past. I have been with XLHost since 1999 and it is basically my job to oversee the operation of anything that has a blinking light and make sure that our amazing technical support staff continues to be the best in the industry. My posts will likely tend to skew towards technical matters so bare with me if my geekness shines through. (I will try to keep it in check)

Welcome to the XLHost blog

It is unfortunate that my first post on our new XLHost blog is about a record breaking DDoS attack but I felt that this topic was important enough to garner some additional attention and to raise awareness on this issue. You may have read recently about the record breaking 300Gbps distributed denial of service (DDoS) attack which has been targeting Spamhaus. Spamhaus is an organization of volunteers whom maintain lists of IP addresses which are used to send spam, spread malware, and generally make the Internet less enjoyable for You and your users. Spamhaus is frequently the target of denial of service attacks but never anything as large as this.

spamhaus ddos

The bulk of the attack traffic was delivered using a technique known as DNS amplification (less specifically UDP amplification). With DNS amplification the attacker sends a DNS query to hundreds or thousands of open DNS resolvers with the source IP address set to the IP address of the target. The hundreds or thousands of open DNS resolvers then send their answers back to the target's IP address. This means that the attacker sends 36 bytes to the open resolver and the resolver replies with as much as 3000 bytes (that is the amplification part). For example if the attacker has a 100Mbps connection to the Internet and they used the entire usable amount (91Mbps) to generate requests; the attack traffic could be as much as 7.6Gbps

This is possible because many Internet Service Providers still allow traffic to leave their networks for IP addresses that they are not responsible for. (This is called IP address spoofing) Mechanisms to prevent IP address spoofing were first proposed in BCP 38 which was originally published in May of 2000. Unicast Reverse Path Verification (URPF) was added as a feature in most routers by 2005 and presently it is a feature available in all ISP router platforms. The only reason that URPF is not effective is because many ISPs choose not to implement it. XLHost has had URPF deployed since 2007.

Since there is very little chance that we can convince large networks to deploy URPF, let's instead talk about what XLHost can do, and what You can do to combat UDP amplification. If you are running a DNS server such as Microsoft DNS, ISC BIND, or PowerDNS on a server connected to the Internet You should make sure that the server is not an open DNS resolver.

XLHost will be launching a free tool very soon that will allow customers to scan their dedicated servers, VPS servers, or Cloud servers to determine whether they are open DNS resolvers. We will also be scanning our network to find any open DNS resolvers and assist customers in closing down open DNS resolvers.

Please let us know if you have any questions about this issue. I recommend anyone interested in any of the information in this post check out the excellent Open DNS resolver project website. There you will find more details on the problem and tools you can use to scan and close open DNS resolvers.

Once again welcome to the blog!


Tags: DNS, security, dedicated servers