Open DNS resolvers that answer queries coming from anyone have been the main component of a large number of DDoS attacks in recent years.
By sending queries with a spoofed source address to such open resolvers, the resolver will send the answers to that spoofed address. An attacker spoofs the address of his/her target and sends a large number of queries to an open resolver, creating a deluge of large DNS answers towards the target.
As these open resolvers function as a point of reflection (the original source is not visible on the target’s side) and amplification (small queries in, large answers out), they are potent and desirable resources for attackers. More details of these concepts and defence mechanisms are explained in this post on the Akamai blog.
Scanning for open resolvers
For an attacker, finding these open resolvers is easy for IPv4: simply send a query to every possible IPv4 address and see whether you get a response! Perfectly feasible using commodity hardware and a half-decent home connection.
However, trying all the possible IPv6 addresses would consume your lifetime, and then some, and then some more after that.
Having said this, at the University of Twente, my colleagues and I undertook some experiments to see if other potential ways to do it were realistic. We found that they were; our research took an active measurement approach to successfully enumerate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack.
I am not going to publish the research method here but we have spoken about this at technical conferences to raise awareness among the technical community (more on these ethical decisions below).
The main message to take from our work is that this research is a wake-up call for network operators who have left resolvers in IPv6 open. The sheer size of the IPv6 space is not an adequate defence to having open DNS resolvers (mis)used by DDoS attackers.
What we found – time to lose sleep
Our research identified 1,038 unique IPv6 open resolvers. The IPv4 open resolver count is in the order of magnitude of 10 million, so 1,038 does not sound that impressive nor worrisome, does it?
Nobody will lose sleep over 1,038 residential routers with a 2 Mbps uplink.
Everybody should lose sleep over 1,038 high-available infrastructural resolvers with a 1 or 10 GbE uplink — a handful of the latter would be a potent attack resource.
Of the found IPv6 resolvers, 745 (72%) were indeed infrastructural. Analysis of the Interface Identifiers (IID), the last 64 bits of these addresses, emphasize the likeliness of these machines being explicitly configured to resolve by humans: of the 1,038 addresses, 622 featured all zeroes but the last two bytes, like so: `2001:db8:2:3::53` (short for `2001:db8:2:3:0:0:0:53`)
Moreover, 570 of these 622 addresses show only decimal characters in the last two bytes — no hexadecimals.
Compare this with an automatically configured stateless address (SLAAC), filled with hexadecimal characters, and most people will agree the shorter, ‘decimal’ one is preferable to work with.
Of the 1,038 addresses, only 225 have any hexadecimal character: 83 of these are SLAAC addresses, based on the embedded `ff:fe` part.
Conclusion: we don’t have exact numbers on how many of the found IPv6 open resolvers are definitely infrastructural, but we have multiple reasons to believe it’s a significant share.
Even if we are dealing with a high-bandwidth, well-connected infrastructural resolver, it does not automatically mean it is effective as a reflection and amplification point.
With most authoritative nameservers having implemented Request Rate Limiting (RRL), an attack will be limited in case the open resolver has to contact an authoritative for every single query. However, if the open resolver caches the answers, there is no need to repeatedly set up connections to that authoritative, making it a far more effective open resolver in terms of possible misuse.
We found 922 out of the 1,038 IPv6 resolvers cache. That’s 89%.
Where are these open resolvers?
A brief look into where these open resolvers are located tells us two things.
First, network-wise, the 1,038 resolvers are spread over 216 Autonomous Systems (ASes). This means the problem (by now we agree that we are dealing with ‘a problem’, right?) is not caused by just one or two shady or misconfigured networks. That said, the top 10 ASes containing most open resolvers account for a little over 50% of all.
Geographically, we find a slight bias towards Western Europe and Asia. This might be explained by the adoption and deployment numbers of IPv6 being higher as well. With only 1,038 data points, it’s hard to make any statistically correct claims. The main takeaway here is that operators should be aware of possible open resolvers in their IPv6 networks, and fix it.
This kind of research is definitely a lot of fun, both to carry out and to see the results coming from it. It does, however, quickly enter a grey area, ethically speaking, in terms of using a method of finding vulnerable machines and causing more noise on the Internet.
As for the scans, it would be great if we could reuse large-scale scans from other researchers, network operators and/or enthusiasts so as not to introduce more noise on the Internet than there already is. But, because of some technical requirements from our side (basically, excepting far more DNS responses than only completely sane and valid ones), existing datasets did not suffice. The machine performing our scans hosted a simple website, explaining our doings and provided an email address for operators to request blacklisting of their networks.
This study should help operators, not annoy them by tickling their detection systems.
For obvious reasons, we do not simply publish the list of found open resolvers. Publishing the way to find them can still raise eyebrows; however, it is likely that we are probably not the first to think of it. Our research was all based on existing, standardized technology — that is, available to anyone.
So there you have it
A fistful of open resolvers on IPv6. Our approach did not find all the open resolvers with IPv6 connectivity out there, but the point is that it is feasible to find enough to cause problems.
We want to make our results useful for operators. Efforts of merging our approach in existing ‘open resolver’-services are ongoing, but for any questions about either the method or the results, please contact us.
Luuk Hendriks is a PhD student at Design and Analysis of Communication Systems, University of Twente, Netherlands.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.