Source Address Validation Helps Ensure that a Resolver Only Receives Queries from Valid Source Addresses Before Sending Back Responses...
While all Internet security issues are reasons for concern, the recent DDoS attack on SpamHaus.org hit especially close to home since the company I work for (Afilias) is responsible for the back-end registry operations of the .ORG domain. While the attack ended well for SpamHaus, it made me more aware than ever that everyone can become a better Internet citizen.
One of the Internet’s greatest attributes is that it is, by and large, unregulated. For the most part, it functions well because most of us are good Internet citizens. And while good conduct is generally an effective means of governing the virtual world, occasionally something happens that underscores the importance of stepping up to our stewardship obligations.
The SpamHaus Attack
In late March, as-yet-unknown cyberattackers targeted the website of SpamHaus, an international nonprofit whose mission is to track the Internet's spam operations and to provide anti-spam protection for Internet networks. The attackers hit by leveraging open recursive resolvers. These resolvers are configured, usually by default, to exchange messages from any device without first verifying the authenticity of the sender’s address. Because of the configuration, a DDoS attack is generally easy to execute: the number of messages builds, slowly and quietly. If the build-up of messages goes unchecked, a cyberattack, like the one directed at SpamHaus, gathers momentum as the number of messages sent and received increases. Eventually, the target is overwhelmed and, as a result, disabled. In the SpamHaus incident, more than 100,000 open resolvers were used to orchestrate an onslaught that reached 300 billion bits per second, which makes it the largest attack of this type so far reported.
A Clear Case for Source Address Validation
While it’s tempting to blame open resolvers for the SpamHaus attack and end the discussion, that paints an inaccurate picture. Open resolvers make for an easy target, but they can be managed properly — as, for example, Google does — and made to comply with the best practices set forth in the IETF’s Domain Name System Operations Working Group paper, “Preventing Use of Recursive Nameservers in Reflector Attacks.” That said, Domain Name Servers provide an ideal system for the type of attack directed at SpamHaus. That’s because the accepted paradigm is that when a query comes in to a Domain Name Server, it’s responded to in good faith, according to the query’s stated point of origin. After all, a good citizen would give directions to someone who asked for them.
Domain Name Servers and open resolvers are symptoms. The real problem is that the practice of source address validation hasn’t been widely adopted. The implementation of source address validation would help ensure that a resolver only receives queries from valid source addresses before it sends back responses.
The term “source address validation” refers to a set of techniques that verify the validity of the source IP address in packets submitted to the Internet. In this case, ”valid” means that the source address is not assigned from a private address space and that it falls within a range of legitimately advertised prefixes for a given origin. (You can still be a good citizen and check the peephole to see who’s there before opening the door.)
I don’t believe that there is any single way to prevent the type of attack experienced by SpamHaus from reoccurring, but there are ways to dramatically decrease its likelihood. Source address validation tackles the issue of networks not filtering spoofed traffic. Without verifying the address of the source, spoofed traffic is allowed to leave the network … its source address is unverified. This is not good network neighborhood behavior.
Here is some advice to those in charge of the majority of Domain Name Servers that do not need to perform recursive queries: Turn off recursion. Simply put “recursion no” into the config file.
And for those that need to recurse for local clients? Be a good Internet citizen; restrict it to your own netblocks.
The biggest challenge to implementing source address validation is that there is no immediate benefit to be realized by those companies who do it. However, the stakes are higher than short-term returns. Until now, the Internet has governed itself and it has done a good job of it. If continued bad behavior is exhibited, the chances increase that governance of the Internet will be taken from Internet citizens and turned over to authoritative entities. So the onus to make the necessary adjustments to the infrastructure lies with all of us. I invite all ISPs to put good citizenship above all else and do their part toward making IP spoofing a thing of the past.