Research commissioned by Infoblox, a company that sells network services appliances including DNS servers, suggests that telecommunications companies are leaving their modems open to attackers who can use them to mount DDoS attacks. The fault lies with servers that have been configured for open recursive lookups.
The Domain Name System (DNS) is the function that translates an internet domain name into the underlying IP address of the server hosting the resource.
When your browser needs to find an IP address, it asks a DNS server to deliver the result. If it doesn't have the answer stored locally, that DNS server will ask another, which may ask yet another, until eventually a DNS server is reached that has the answer.
DNS servers that are open will take queries from any address on the web, whereas locked-down DNS servers only accept requests from a trusted set of addresses.
The DDoS attacks using rogue DNS queries work by spoofing the IP address of the client asking for the DNS lookup. Instead of giving the DNS server the real client's address, it will substitute it with the address of the internet-based server that it wants to hit with a DDoS attack.
The DNS server will then send the result - which is around 4Kb, and therefore far larger than the size of the original query - to the target. When large numbers of DNS servers are fooled into sending these results to the wrong address, it can stop the target from functioning.
Having a large number of residential broadband modems running DNS servers that are prepared to take queries from untrusted sources provides malicious parties with a perfect set of resources that they can use to mount a DDoS attack.
"The real danger is that these devices can be used in distributed denial of service attacks against others, and a population of only a thousand or so well-connected devices can mount a potent DDoS attack. We estimate that the population of these devices is over ten million", said Cricket Liu, spokesperson for Infoblox.
He added that the telecommunications carriers were responsible for the problem, because they failed to configure their devices properly. "They should ensure their devices on customer premises ship with a secure default configuration", he concluded.