For quite some time, we have run our DNS resolver servers open to the public Internet. Being "open" means that the DNS resolver servers could be used from networks outside of ours. In the past, having open DNS has been helpful for those users who traveled frequently. Now that mobile devices are the norm, it's nearly guaranteed that you will be given DNS information as part of your connection. That means having open DNS servers really isn't necessary any longer and that's good because now attackers are using open DNS resolver servers to cause havoc on the Internet. What havoc? DNS Amplification is the current choice for attackers to form large dDoS attacks against targets on the Internet. What is a dDoS attack? This Wikipedia article has more information. http://en.wikipedia.org/wiki/Denial-of-service_attack DNS Amplification was recently the primary method used in the Spamhaus attack that netted over 300Gbps of traffic against the Spamhaus website and even the exchange networks routing traffic for Spamhaus. This is a huge amount of traffic, even for the latest backbone hardware. With our DNS resolver servers being open, our own servers unwillingly formed part of that attack. We saw a large upswing in traffic out of our servers during the attack. Further analysis shows that even back at normal levels, around 65-75% of our traffic load is still abusive amplification attacks continuously going on. On average, less than 25% of our normal daily traffic is legitimate requests handled for our customers. [What are we doing to stop this?] We are making a change in our policy and disallowing off-net access to our DNS resolving servers 216.250.190.144 209.240.77.77 216.250.190.145 209.240.87.77 216.243.128.5 208.200.182.10 216.243.182.182 208.200.182.11 2001:4980:0:1000::53 2001:4980:0:FFFF::53 Starting on the morning of 22 April, 2013, these servers will no longer respond to DNS queries from off-net. They will continue to service everybody on-net within the ipHouse local network, and our customer IP address ranges that we are currently routing. [What this means to you] We expect this change to impact very few people, but we are putting out the word ahead of time to give a heads up to those that may have set this specific settings in their computers. This change does not affect DNS or Web hosting in any way, this is purely DNS resolver setup for client computers. If your computer is connected to ipHouse, most likely you already have your computer set to obtain this information automatically, but within the ipHouse network address ranges there will be no change. If you have hard coded DNS resolvers configured on your computer and no longer directly connected to ipHouse, you may have connectivity problems on the morning of 22 April, 2013. To fix this, you should make sure to utilize the local DNS servers in use at your location. Most often, this is handed out automatically via your connection and obtaining this information automatically is the default in virtually all Internet connected devices. To confirm if your DNS resolver settings are correct, there is a webpage of various carriers here. For CenturyLink ISP services http://www.whatsmydns.net/dns/usa/centurylink.html For Comcast http://www.whatsmydns.net/dns/usa/comcast.html For Charter http://www.whatsmydns.net/dns/usa/charter.html Plus, there is also other public services (presumably that heavily filter out the hackers) Google DNS https://developers.google.com/speed/public-dns/docs/using IP address:8.8.8.8 & 8.8.4.4 Or OpenDNS IP address:208.67.222.222 & 208.67.220.220 [Results] We want to be good Netizens and not let our servers be abused and unwillingly particate in further Network Attacks. Also, there may be vigilante groups out on the Net looking for open DNS servers being actively abused and bring attacks directly at them to stop the attack at the source. We are taking steps to be not be an unwilling attacker and to lower our profile to ensure our critical services, such as DNS resolution, stay up and responsive for our customers. If you have any problems or questions please let us know at [log in to unmask], or call us up at 612-337-6340. Thank you. -- Doug McIntyre <[log in to unmask]> -- ipHouse/Goldengate/Bitstream/ProNS -- Network Engineer/Provisioning/Jack of all Trades ################################################# To manage your subscription please use the following link: https://lists.iphouse.net/cgi-bin/wa?SUBED1=ANNOUNCE if you experience difficulties, please send an email to [log in to unmask]