There was quite a bit of breathless reporting last week about the DoS against Spamhaus and how it was large enough to break the Internet. As the postmortem has gone on, a few things are becoming clear.
- There was a lot of traffic, enough to swamp some major transit points.
- Most people, particularly in the US, saw no problems.
- Network engineers had more than a few sleepless nights trying to route around the DoS.
- Open DNS resolvers are evil and should be closed.
The Open DNS resolvers are, I think, a big issue. These are machines working as intended (ie, not infected with any software) that can be used to amplify traffic and maliciously attack other machines. It’s not the first time standard configurations of machines facilitated abuse (see smurf attack or open relay as examples). In those cases, though, there was considerable response by the Internet and security community to prevent abuse from those machines. Large providers instituted ingress filtering to stop their networks (and their customer networks) from participating in smurf attacks. List of open relays were published and prevented from mailing to large networks.
Overall, neither the number of smurf amplifiers nor the number of open relays have been brought to zero, their numbers have been reduced sufficiently so they are no longer major attack vectors.
I expect to see the number of open resolvers decrease in the future as well. And if open resolvers aren’t closed, they may be isolated so they can’t hurt the rest of us. This may cause network problems for folks using open resolvers. But I can’t feel too sorry for them, when closing a resolver is simple and the price of leaving it open is so high for the rest of us.