STEAM-ADVISORY NO. 2013082601 PURDUE UNIVERSITY SECURITY TEAM CIRT Monday, August 26 17:40:00 EDT 2013 ==OVERVIEW== We have received several external notices of open DNS servers that answer recursive requests on the Purdue network. These servers can be used to attack other organizations through Distributed Denial of Service attacks (DDoS). This type of attack is known as DNS Amplification. To prevent the Purdue network from being a launch point for devastating attacks across the internet, we ask that you review your DNS configuration and disable recursive requests. ==SYSTEMS AFFECTED== Open DNS servers that answer recursive requests are used to attack other systems at Purdue and across the Internet. ==DETAILS== Open DNS resolvers can be abused to DDoS attacks towards web sites, servers, and services. These attacks can deny legitimate service to authorized users as well as cause performance side-effects for smaller networks. This type of attack is known as a DNS amplification attack. A small, spoofed recursive DNS request can generate a large response sent to the target. As more illegitimate requests are made, the target is quickly overwhelmed resulting in a denial of service. A misconfigured DNS server can be used to participate in DDoS attacks. This means that DNS servers in your domain that resolve recursive requests can be used to attack other systems here at Purdue and across the Internet. In addition to attacking remote systems, the traffic generated by DNS amplification attacks can saturate local networks and degrade performance for your local network and the entire campus. Attacks originating from the Purdue network can lead to subnet blacklisting and harm to Purdue's reputation. ==SOLUTIONS== 1) Limit DNS recursive requests to a group of authorized local clients, if recursive requests are needed. 2) Disable recursive requests for all other clients. Details for the configuration of BIND and Windows are included in the articles below. w w w .us-cert.gov/ncas/alerts/TA13-088A technet.microsoft.com/en-us/library/cc771738.aspx (remove spaces from links) ==VERIFICATION== The Nmap network mapping tool can be used to verify that the DNS resolver no longer answers recursive DNS requests. Use the following commands, replacing <IP> with the IP address of the DNS server, to verify that DNS recursive requests have been disabled: $ nmap -sU -p 53 -sV -P0 --script "dns-recursion" <IP> ==FURTHER INFORMATION AND RESOURCES== w w w .us-cert.gov/ncas/alerts/TA13-088A w w w .openresolverproject.org w w w .nmap.org (remove spaces from links) ==STEAM-CIRT CONTACT INFORMATION== For questions concerning this advisory, please send email to: firstname.lastname@example.org. Report computer-related abuse to steam-cirt: w w w.purdue.edu/securePurdue/incidentReportForm.cfm w w w.purdue.edu/securepurdue/steam (remove spaces from links)
Posted by ITSP on August 26, 2013, in Advisory Alerts.