Maybe the sky is only falling a little bit

There was quite a bit of breathless reporting last week about the DoS against Spamhaus and how it was large enough to break the Internet. As the postmortem has gone on, a few things are becoming clear.

  1. There was a lot of traffic, enough to swamp some major transit points.
  2. Most people, particularly in the US, saw no problems.
  3. Network engineers had more than a few sleepless nights trying to route around the DoS.
  4. Open DNS resolvers are evil and should be closed.

The Open DNS resolvers are, I think, a big issue. These are machines working as intended (ie, not infected with any software) that can be used to amplify traffic and maliciously attack other machines. It’s not the first time standard configurations of machines facilitated abuse (see smurf attack or open relay as examples). In those cases, though, there was considerable response by the Internet and security community to prevent abuse from those machines. Large providers instituted ingress filtering to stop their networks (and their customer networks) from participating in smurf attacks. List of open relays were published and prevented from mailing to large networks.
Overall, neither the number of smurf amplifiers nor the number of open relays have been brought to zero, their numbers have been reduced sufficiently so they are no longer major attack vectors.
I expect to see the  number of open resolvers decrease in the future as well. And if open resolvers aren’t closed, they may be isolated so they can’t hurt the rest of us. This may cause network problems for folks using open resolvers. But I can’t feel too sorry for them, when closing a resolver is simple and the price of leaving it open is so high for the rest of us.

Post-mortem on the Spamhaus DOS
Marketo files for IPO

Related Posts

Post-mortem on the Spamhaus DOS

There’s been a ton of press over the last week on the denial of service attack on Spamhaus. A lot of it has been overly excited and exaggerated, probably in an effort to generate clicks and ad revenue at the relevant websites. But we’re starting to see the security and network experts talk about the attack, it’s effects and what it tells us about future attacks.
I posted an analysis from the ISC yesterday. They had some useful information about the attack and about what everyone should be doing to stop from contributing to future attacks (close your open DNS resolver). The nice thing about this article is that it looked at the attack from the point of view of network health and security.
Today another article was published in TechWeekEurope that said many of the same things that the ISC article did about the size and impact of the attacks.
What’s the takeaway from this?

Read More

Collaboration key to fighting crime on the internet

The Pittsburg Post Gazette has a good article on the DNS Changer Working group and how it can serve as a model for future collaboration against cyber crime.

Read More

Troubleshooting tools

There have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot these issues, and am able to take on new clients to solve authentication problems. Contact me for more information.
Of course, many of these issues can be solved with access to the right tools. Steve’s been working on a number of tools that may help the troubleshooting process and we’ve recently launched them on Emailstuff.org. The website itself contains a number of DNS and data related tools we use for investigations and thought we’d share with the public at large.
One of the really useful tools is the SPF record expander. Plug in any domain, like google.com, and see what IP addresses they authorize to send mail.

Read More