Name servers are DDOS targets

THE NUMBER OF external name servers that allow open access to recursion has rocketed over the last few years, increasing the risk of distributed denial of service attacks, according to network management firm Infoblox.

According to the findings of its fifth annual DNS Survey, the number of name servers on the Internet has grown by around 40 per cent in the last two years, reaching about 16.3 million today with nearly eight out of ten of those open to recursion.

"This year's survey is a Pandora's box of both frightening and hopeful results," said Cricket Liu, vice president of architecture at Infoblox

"Of particular interest is the enormous growth in the number of Internet-connected name servers, largely attributable to the introduction by carriers of customer premises equipment (CPE) with embedded DNS functionality. This equipment represents a significant risk to the rest of the Internet, as without proper access controls, it facilitates enormous DDoS attacks."

Because so many of today's broadband access devices have built-in DNS proxies, the growing uptake of broadband has caused a similar swelling in the population of name servers.

On the up side, Liu noted that the percentage of Microsoft DNS servers for external use has plummeted and now stands at around a third of one per cent.

He is hopeful that this has been driven by an understanding of the security risks of exposing Windows computers to the Internet and migration to a more secure option.

As well as moving away from Microsoft DNS servers, it seems that admins are being more careful about how they configure these systems, with the number of zones with one or more name servers open to zone transfers having dropped from 31 per cent last year to 16 per cent in the most recent study.

Furthermore, the number of DNSSEC signed zones has roughly quadrupled, with vectors such as the Kaminsky vulnerability helping spur adoption.

Meanwhile, the adoption of IPv6 saw modest growth to 0.7 per cent from 0.44 per cent in 2008.

"I am pleased to see the adoption of DNSSEC accelerating and I hope to see this number increase substantially in the next year as more top-level zones are signed," added Liu.

Liu is calling for the introduction of minimum standards for embedded DNS proxies such as support for query ACLs and source port randomisation. In the interim he suggests all organizations with external DNS servers assess their infrastructure to ensure that they are not vulnerable.

Lastly the report stresses that carriers need to pay more attention to the default configuration and security features of any networking equipment that they deploy and customers need to confirm this. µ