Together with our partner The Measurement Factory, Infoblox has just competed our fifth annual DNS Survey. We’re still poring over the results, but one number that stands out to me is our latest estimate of the total population of name servers on the Internet, which has jumped to 16.3 million name servers this year from 11.7 million in 2007. (2008’s results were a little suspect.)
Two questions spring to mind: First: Are there really that many name servers on the Internet? And second: How could that number have grown so dramatically in two years?
There’s a single answer to both questions: They’re mostly CPE. As many of you know already, CPE stands for customer premises equipment. It’s a carrier’s term for a device on the far end (from their standpoint) of a subscriber’s link to the Internet. They’re often nominally DSL or cable routers, but increasingly they support functions like embedded DNS proxy servers. That’s why our survey identifies them as name servers: They respond to our probes just as a recursive name server would.
Just like an open recursive name server would, to be more precise. For the most part, these babies don’t have any kind of access control whatsoever. They’ll accept queries from any old IP address on the Internet, resolve them, and return the answer. Now you might think that would make them good citizens, but in fact it’s just the opposite: Open recursors can be and are often used in DDoS attacks. A hacker spoofs queries from the IP address of a host (web server, mail server, what-have-you) he’d like to target and sends those queries to open recursors around the Internet. The open recursors respond to the targetted host. Worse, the hacker generally chooses a query that will return as large a response as possible, near the 4096 byte limit advertised by most BIND name servers. He can do that with a very modest-sized query of less than 100 bytes, giving him access to tremendous amplification. Send 1000 queries per second to 1000 open recursors and you’ve got a formidable DDoS attack of 32 Gbps.
If these open recursive name servers were rare, these attacks wouldn’t be a problem. Fielding a thousand or more open recursors might require too much effort to be worth the hacker’s while. But our survey results show exactly the opposite trend: Not only is the number of name servers increasing, but the proportion of open recursors is now increasing, too. The percentage of open recursors rose in this year’s survey to a whopping 79.6% of the name servers identified, up from 52% in 2007.
Geoff Sisson, who conducted this year’s survey, lays the blame on CPE: “4.4% of all IP addresses in French address blocksreplied to probes, more than five times as many as responded on averageto all probes globally. This is due the the broad deployment of totd(“Trick or Treat Daemon”) in France Telecom’s network. totd is a DNSproxy that forwards queries from pure IPv6 networks. Over 99.9% of allhosts running totd in France and nearly 92% of all hosts running totdanywhere were in AS 3215, France Telecom’s primary AS.”
It’s tempting to dismiss the spike in the percentage of open recursors as simple bad luck, since we choose the networks to probe randomly and this time drew some of France Telecom’s networks. But Geoff saw much the same phenomenon on Spanish networks, too.
Our next order of business is to contact France Telecom to confirm our identification of totd and impress upon them the importance of shipping CPE that supports access control on queries, and with a configuration that only proxies their subscribers’ queries by default.
