For quite some time, we have run our DNS resolver servers open to the
public Internet. Being "open" means that the DNS resolver servers
could be used from networks outside of ours. In the past, having open
DNS has been helpful for those users who traveled frequently.
Now that mobile devices are the norm, it's nearly guaranteed that you
will be given DNS information as part of your connection. That means
having open DNS servers really isn't necessary any longer and that's
good because now attackers are using open DNS resolver servers to
cause havoc on the Internet.
What havoc? DNS Amplification is the current choice for attackers to
form large dDoS attacks against targets on the Internet.
What is a dDoS attack? This Wikipedia article has more information.
http://en.wikipedia.org/wiki/Denial-of-service_attack
DNS Amplification was recently the primary method used in the Spamhaus
attack that netted over 300Gbps of traffic against the Spamhaus website
and even the exchange networks routing traffic for Spamhaus. This is
a huge amount of traffic, even for the latest backbone hardware.
With our DNS resolver servers being open, our own servers unwillingly
formed part of that attack. We saw a large upswing in traffic out of
our servers during the attack. Further analysis shows that even back
at normal levels, around 65-75% of our traffic load is still abusive
amplification attacks continuously going on. On average, less than 25%
of our normal daily traffic is legitimate requests handled for our customers.
[What are we doing to stop this?]
We are making a change in our policy and disallowing off-net access to
our DNS resolving servers
216.250.190.144 209.240.77.77
216.250.190.145 209.240.87.77
216.243.128.5 208.200.182.10
216.243.182.182 208.200.182.11
2001:4980:0:1000::53
2001:4980:0:FFFF::53
Starting on the morning of 22 April, 2013, these servers will no
longer respond to DNS queries from off-net. They will continue to
service everybody on-net within the ipHouse local network, and our
customer IP address ranges that we are currently routing.
[What this means to you]
We expect this change to impact very few people, but we are putting
out the word ahead of time to give a heads up to those that may have
set this specific settings in their computers. This change does not
affect DNS or Web hosting in any way, this is purely DNS resolver
setup for client computers.
If your computer is connected to ipHouse, most likely you already
have your computer set to obtain this information automatically,
but within the ipHouse network address ranges there will be no change.
If you have hard coded DNS resolvers configured on your computer and no
longer directly connected to ipHouse, you may have connectivity
problems on the morning of 22 April, 2013.
To fix this, you should make sure to utilize the local DNS servers
in use at your location. Most often, this is handed out automatically
via your connection and obtaining this information automatically is
the default in virtually all Internet connected devices.
To confirm if your DNS resolver settings are correct, there is a webpage
of various carriers here.
For CenturyLink ISP services
http://www.whatsmydns.net/dns/usa/centurylink.html
For Comcast
http://www.whatsmydns.net/dns/usa/comcast.html
For Charter
http://www.whatsmydns.net/dns/usa/charter.html
Plus, there is also other public services
(presumably that heavily filter out the hackers)
Google DNS
https://developers.google.com/speed/public-dns/docs/using
IP address:8.8.8.8 & 8.8.4.4
Or OpenDNS
IP address:208.67.222.222 & 208.67.220.220
[Results]
We want to be good Netizens and not let our servers be abused and
unwillingly particate in further Network Attacks. Also, there may be
vigilante groups out on the Net looking for open DNS servers being
actively abused and bring attacks directly at them to stop the attack
at the source.
We are taking steps to be not be an unwilling attacker and to lower our
profile to ensure our critical services, such as DNS resolution, stay up
and responsive for our customers.
If you have any problems or questions please let us know at
[log in to unmask], or call us up at 612-337-6340.
Thank you.
--
Doug McIntyre <[log in to unmask]>
-- ipHouse/Goldengate/Bitstream/ProNS --
Network Engineer/Provisioning/Jack of all Trades
#################################################
To manage your subscription please use the following link:
https://lists.iphouse.net/cgi-bin/wa?SUBED1=ANNOUNCE
if you experience difficulties, please send an email to [log in to unmask]
|
