ICANN SSAC on DDoS, DNS and BCP 38

ICANN's Security and Stability Advisory Committee (SSAC) document Advisory on DDoS Attacks Leveraging DNS Infrastructure, published this week, provides a much-needed touchstone for the Internet in its current state. DDoS attacks, such as the one directed at Spamhaus last spring, continue to grow in size. Their magnitude poses a threat to the very fabric of the Internet and limits hosting choices among the Internet business community to a very small set of service providers, which is not healthy for either the 'net or for businesses. That doesn't even consider the immense damage to sites taken offline by such criminal acts, and DDoS is often accompanied by further criminal extortion attempts. When potential state actors are factored in alongside vandals and criminals, the risk of severe Internet instability due to DDoS is untenably high.

Notable in the ICANN SSAC report are the suggestions regarding BCP 38 (also RFC 2827) on pages 12-14. BCP 38, published in 2000, is still the best current practice of ingress traffic filtering at the periphery of Internet connected networks in order to reduce the effectiveness of source address spoofing in denial of service attacks, and proper implementation of those practices effectively stops the reflection attack vectors which are so common these days. While full implementation of BCP 38 at all nodes on all networks is a lofty goal, not easily achievable, there are networks on the Internet which so badly fail to do any implementation of BCP 38 that they are well known by the bad actors and widely used as platforms to launch their attacks. Adoption of BCP 38 by those networks is a low hanging fruit in the goal of DDoS risk abatement.

That ICANN SSAC report focuses on the open DNS resolver problem, and it's a big problem. According to the Open Resolver Project there are about 28 million DNS resolvers on the Internet which presently are configured in such a way that they pose a threat to the rest of the 'net at large. While that's a whole lot of machines which need reconfiguration, the problem is not unsolvable. New DNS servers should default to a secure configuration, and education and awareness efforts can bring many existing machines into compliance. Still, open resolvers are a present and persistent DDoS threat for years to come.

The report doesn't cover NTP servers, another common vector of DDoS popular with miscreants over the past year. The Open NTP Project is amassing information about open NTP servers and ways to secure them. (Hint: it's easy for most system admins to fix!) There are still other protocols which can also be abused in reflected DDoS attacks, so just fixing one set of problems won't make all DDoS stop, but each server secured is one less source of attack ammunition for the bad guys.

Spamhaus thanks ICANN SSAC for that report, encourages all network admins and operators to read up on it and secure their servers, and strongly supports all efforts to implement BCP 38.

Additional reading:

http://www.ietf.org/mail-archive/web-old/ietf-announce-old/current/msg29176.html - BCP 84, RFC 3704 - Ingress Filtering for Multihomed Networks

http://arxiv.org/abs/1202.4008 - Modeling Internet-Scale Policies for Cleaning up Malware

http://www.informationweek.com/security/attacks-and-breaches/ddos-attack!-is-regulation-the-answer/d/d-id/1114050 - DDoS Attack! Is Regulation The Answer?

http://www.ren-isac.net/alerts/REN-ISAC_Alert_NTP_Amp_DDoS_TECH_201403.html - ALERT: NTP-Based Distributed Denial of Service Attacks Prevent your institution from being an unwitting partner in these attacks

http://www.callevanetworks.com/the-biggest-ddos-attack-in-history-all-due-to-dns/ - The biggest DDoS attack in history, all due to DNS

http://networkmanagement.comcast.net/index.php/8-network-management-news/40-preventing-network-spoofing - Comcast/Xfinity: Preventing Network Spoofing

https://securityskeptic.typepad.com/the-security-skeptic/2011/06/internet-address-hijacking-spoofing-and-squatting-attacks.html - Internet Address Hijacking, Spoofing and Squatting Attacks, Dave Piscitello, 22 June 2011