DNS Amplification in the eyes of a hosting provider

09/11/2012 1:53 pm Lutz Donnerhacke

An operator from an unnamed hosting provider did collect some data about DNS amplification attacks and send me a copy. This data draws a horrible picture of the real situation out there.

They scanned 157322 IPs of their hosting customers with DNS queries. 10917 of them run an open, unsecured DNS resolver which processes recursive questions from anybody. So nearly 7% of all hosted systems are potential reflection and amplification relays.

Further scanning those systems with Nessus/nmap reveals an awful number of really old systems:

System Anzahl
SuSE-10.1 mit Plesk 8.1 173
SuSE-9.3 mit Plesk 8.0 204
CentOS 5.X with Plesk 8.3 235
SuSE-10.2 mit Plesk 8.2 238

The customers might not know or notice that they are misused, but they accumulate an impressive amount of bandwidth. So let's have a look at the traffic on port 53 crossing the border of this autonomous system:

Location Mbps "open relays" Mbps "total" Percentage
RZ1 63,30 230,00 28%
RZ2 13,50 15,80 85%
RZ3 26,90 75,50 36%

RZ2 is the oldest location containing most of the oldest servers. Obviously there are the majority of unpatched and vulnerable systems.

If you like, please share your data with me.

Avatar
rechenzentrum frankfurt 09/03/2015 11:23 am
Die Frage ist aber eher, was man dagegen tun kann. Es ist ja gut solche Statistik Informationen zu haben, nur muss man diese natürlich auch entsprechend verwerten.
Avatar
danrl 09/11/2012 4:28 pm
85% of their DNS traffic at RZ2 is from open relays? Have they considered informing their customers about that? Looking at the nessus scans it looks like there are a lot of hosted systems *someone* has to take care of. Who installed and never updated all those systems?

Total 2 comments

Post a comment

Related content