Advisory notice for Open Recursive Nameservers

As you have perhaps noticed in the media, denial-of-service (DoS)
attacks using DNS servers to get an amplification of the attack are
currently becoming more common.

These attacks all use ORNs, Open Recursive Nameservers. A recursive
DNS nameserver is “open” when it accepts to reply, not only to its
local network (as it should) but also to the whole world. It can
therefore be used as a proxy for the DoS attack. Being part of the
attack, it can engages the responsability of his administrator. Since
a DNS reply is typically larger than the request, the attack is
amplified, so the bad guy can save his bandwidth.

The AFNIC wants to remind that ORNs are a danger for the
whole Internet. These ORNs have few legitimate uses. The AFNIC strongly
recommends to stop the ORNs, following the techniques described in the
references. For instance, for the BIND program, using “recursion no”
is recommended. For the legitimate recursive service towards the local
network (and towards the clients if you are an access provider), you
need to use a second machine, or a second daemon or even the views of
BIND 9.

The AFNIC, together with other TLD registries, pursues its reflection
about this vulnerability and the best ways to counter it. One of the
possible ways is to stop serving the DNS requests from ORNs. At the
present time, surveys show that an important part of the nameservers
on the Internet are ORNs, which should call for our attention and for
action by the system administrators.

References

Securing an Internet Name Server
A very good practical synthesis for the system administrator.

DNS Amplification attacks
A good description of the current attacks.

The Continuing Denial of Service Threat Posed by DNS Recursion
Official advice from the USAn CERT.

Stop abusing my computer in DDOSes, thanks
A description of the first known case, known as “x.p.ctrc.cc”.