SlideShare a Scribd company logo

The curse of the open recursor

Tom Paseka
Tom Paseka

This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.

Technology
1 of 27
Tom Paseka The curse of the Open Recursor Network Engineer tom@cloudflare.com
Recursors Why? •  Exist to aggregate and cache queries •  Not every computer run its own recursive resolver. •  ISPs, Large Enterprises run these •  Query through the root servers and DNS tree to resolve domains •  Cache results •  Deliver cached results to clients. www.cloudflare.com 2
Recursors The Problem! •  Example of DNS Based reflection attack from a Peer in Hong Kong. www.cloudflare.com 3
Recursors Open / Unsecured Recursors ? •  DNS server set up for recursion •  ie. non-authoritative •  Will answer for zones it is not authoritative for •  Recursive lookups •  Will answer queries for anyone •  Some Public Services: 
 Google, OpenDNS, Level 3, etc. •  These are “special” set-ups and secured. www.cloudflare.com 4
Recursors Say Again? •  There are hundreds of thousands of DNS Recursors. •  Many of these are not secured. •  Non secured DNS Recursors can and will be abused •  CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. www.cloudflare.com 5
What is a Reflection Attack?
Reflection Attack •  UDP Query •  Spoofed source •  Using the address of the person you want to attack •  DNS Server used to attack the victim (sourced address) •  Amplification used •  Querying domains like ripe.net or isc.org •  ~64 byte query (from attacker) •  ~3233 byte reply (from unsecured DNS Server) •  50x amplification! •  Running an unsecured DNS server helps attackers! www.cloudflare.com 7
Reflection Attack Attacker Attack Target ANY ANY ANY isc.org isc.org isc.org Large Large Large Large Large Large Reply Reply Reply Reply Reply Reply Unsecured DNS Unsecured DNS Recursors Recursors Large Large Large Reply Reply Reply Unsecured DNS www.cloudflare.com 8 Recursors
Reflection Attack •  With 50x amplification: •  1Gbit uplink from attacker (eg: Dedicated Servers) •  50Gbit attack •  Enough to bring most services offline! •  Prevention is the best remedy. •  In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. •  At just 1Mbit each, that’s 80Gbit! •  1mbit of traffic may not be noticed by most operators. •  80Gbit at target is easily noticed! www.cloudflare.com 9
Where are they coming from?
Where are the open Recursors? • Nearly Everywhere! •  CloudFlare has seen DNS Reflected attack traffic from: •  27 out of 56 Economies in APNIC Region •  More attacks from higher populated economies. www.cloudflare.com 11
Where are the open Recursors? www.cloudflare.com 12
Where are the open Recursors? www.cloudflare.com 13
Where are the open Recursors? www.cloudflare.com 14
Where are the open Recursors? www.cloudflare.com 15
Where are the open Recursors? www.cloudflare.com 16
Where are the open Recursors? www.cloudflare.com 17
Where are the open Recursors? Open Open Country   Country   Recursors   Recursors   Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 www.cloudflare.com 18
Where are the open Recursors? Some Networks: Open Country ASN Network Name Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 www.cloudflare.com 19
Where are the open Recursors? •  Where are they running? Mostly on Servers.
 ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router)
 
 www.cloudflare.com 20
How to fix this?
Fixing this? Preventative Measures! •  BCP-38 •  Source Filtering. •  You shouldn’t be able to spoof addresses. •  Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop •  Will also help stop other attack types •  (eg: Spoofed Syn Flood). www.cloudflare.com 22
Fixing this? Preventative Measures! •  DNS Server Maintenance
 •  Secure the servers! •  Lock down recursion to your own IP addresses 
 •  Disable recursion •  If the servers only purpose is authoritative DNS, disable recursion •  Turn them off! •  Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. www.cloudflare.com 23
Fixing this? Consumer Internet Routers / Modems •  Update firmware. •  Some older firmware has security bugs •  Allows administration from WAN (including DNS, SNMP) •  Does the feature need to be on? •  Make sure its set up properly www.cloudflare.com 24
Fixing this? Information •  BCP-38: http://tools.ietf.org/html/bcp38
 •  BIND:
 http://www.team-cymru.org/Services/Resolvers/ instructions.html
 •  Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx www.cloudflare.com 25
26 Questions?
27 Thank You

Recommended

Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized Internet
APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
 
Routing for an Anycast CDN
Routing for an Anycast CDNRouting for an Anycast CDN
Routing for an Anycast CDN
Tom Paseka
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
APNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNS
APNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 

Recommended

Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized Internet
APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
 
Routing for an Anycast CDN
Routing for an Anycast CDNRouting for an Anycast CDN
Routing for an Anycast CDN
Tom Paseka
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
APNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNS
APNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
MyNOG
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
MyNOG
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access Networks
APNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...
APNIC
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PROIDEA
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysis
Sanket Jain
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom Paseka
MyNOG
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional Markets
Tom Paseka
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn Ooi
MyNOG
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PROIDEA
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
set & logo
set & logoset & logo
set & logo
Masoumeh Shokri
 
Impresa italia bari
Impresa italia bariImpresa italia bari
Impresa italia bari
Impresa Italia
 

More Related Content

What's hot

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
MyNOG
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
MyNOG
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access Networks
APNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...
APNIC
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PROIDEA
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysis
Sanket Jain
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom Paseka
MyNOG
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional Markets
Tom Paseka
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn Ooi
MyNOG
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PROIDEA
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 

What's hot (20)

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
 
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony TeoThe Stakes Have Changed – The Changing Security Landscape by Tony Teo
The Stakes Have Changed – The Changing Security Landscape by Tony Teo
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
 
IPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access NetworksIPv6 Deployment Architecture for Broadband Access Networks
IPv6 Deployment Architecture for Broadband Access Networks
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...
 
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
PLNOG 7: Grzegorz Janoszka - Memoirs from an IPv6 deployment in the hosting n...
 
CDN_Netflix_analysis
CDN_Netflix_analysisCDN_Netflix_analysis
CDN_Netflix_analysis
 
Internet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom PasekaInternet Noise (A Story About Two Little Subnets - Tom Paseka
Internet Noise (A Story About Two Little Subnets - Tom Paseka
 
Interconnection in Regional Markets
Interconnection in Regional MarketsInterconnection in Regional Markets
Interconnection in Regional Markets
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Open Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn OoiOpen Connect Appliances - Jocelyn Ooi
Open Connect Appliances - Jocelyn Ooi
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina Bargisen
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 

Viewers also liked

set & logo
set & logoset & logo
set & logo
Masoumeh Shokri
 
Impresa italia bari
Impresa italia bariImpresa italia bari
Impresa italia bari
Impresa Italia
 
Global Health Symposium Poster
Global Health Symposium PosterGlobal Health Symposium Poster
Global Health Symposium Poster
Janet Jansen
 
Searching services in cities of italy
Searching services in cities of italySearching services in cities of italy
Searching services in cities of italy
Impresa Italia
 
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
David Anaya Orellano
 
Proyecto de responsabilidad social vii
Proyecto de responsabilidad social viiProyecto de responsabilidad social vii
Proyecto de responsabilidad social vii
Ronny Larico
 
Holography & its applications
Holography & its applicationsHolography & its applications
Holography & its applications
Bisma Princezz
 
Importancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerolaImportancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerola
Consorcio Dominicano de Competitividad Turística - CDCT
 

Viewers also liked (8)

set & logo
set & logoset & logo
set & logo
 
Impresa italia bari
Impresa italia bariImpresa italia bari
Impresa italia bari
 
Global Health Symposium Poster
Global Health Symposium PosterGlobal Health Symposium Poster
Global Health Symposium Poster
 
Searching services in cities of italy
Searching services in cities of italySearching services in cities of italy
Searching services in cities of italy
 
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
AsesorAmiento en el diseño de núcleos básicos de vivienda en poblaciones vuln...
 
Proyecto de responsabilidad social vii
Proyecto de responsabilidad social viiProyecto de responsabilidad social vii
Proyecto de responsabilidad social vii
 
Holography & its applications
Holography & its applicationsHolography & its applications
Holography & its applications
 
Importancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerolaImportancia de una estrategia nacional de turismo por manuel figuerola
Importancia de una estrategia nacional de turismo por manuel figuerola
 

Similar to The curse of the open recursor

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
pm123008
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
Jisc
 
ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud
Nitinder Mohan
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
Hui Cheng
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
DataStax Academy
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
JosephTesta9
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
Evan McGee
 
Cdn cs6740
Cdn cs6740Cdn cs6740
Cdn cs6740
Aravindharamanan S
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
Yen-Kuan Wu
 

Similar to The curse of the open recursor (20)

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud ExEC: Elastic Extensible Edge Cloud
ExEC: Elastic Extensible Edge Cloud
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
C* Summit 2013: Netflix Open Source Tools and Benchmarks for Cassandra by Adr...
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
 
Cdn cs6740
Cdn cs6740Cdn cs6740
Cdn cs6740
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 

More from Tom Paseka

Peering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in PeeringPeering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in Peering
Tom Paseka
 
The New Edge of the Network
The New Edge of the NetworkThe New Edge of the Network
The New Edge of the Network
Tom Paseka
 
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
Tom Paseka
 
Detecting spoofing at IxP's
Detecting spoofing at IxP'sDetecting spoofing at IxP's
Detecting spoofing at IxP's
Tom Paseka
 
Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017
Tom Paseka
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internet
Tom Paseka
 
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionKINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
Tom Paseka
 
BBIX Asia Internet
BBIX Asia InternetBBIX Asia Internet
BBIX Asia Internet
Tom Paseka
 
New Zealand and the world as a CDN
New Zealand and the world as a CDNNew Zealand and the world as a CDN
New Zealand and the world as a CDN
Tom Paseka
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013
Tom Paseka
 
nanog
nanognanog
nanog
Tom Paseka
 
Unicast vs Anycast
Unicast vs AnycastUnicast vs Anycast
Unicast vs Anycast
Tom Paseka
 

More from Tom Paseka (12)

Peering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in PeeringPeering Asia 2.0: Security in Peering
Peering Asia 2.0: Security in Peering
 
The New Edge of the Network
The New Edge of the NetworkThe New Edge of the Network
The New Edge of the Network
 
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
HKNOG 6.0 Next Generation Networks - will automation put us out of jobs?
 
Detecting spoofing at IxP's
Detecting spoofing at IxP'sDetecting spoofing at IxP's
Detecting spoofing at IxP's
 
Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017Interconnection landscape in Asia - TPIX Peering Forum 2017
Interconnection landscape in Asia - TPIX Peering Forum 2017
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internet
 
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionKINX Peering Forum - A Brief Overview of Regulation of Interconnection
KINX Peering Forum - A Brief Overview of Regulation of Interconnection
 
BBIX Asia Internet
BBIX Asia InternetBBIX Asia Internet
BBIX Asia Internet
 
New Zealand and the world as a CDN
New Zealand and the world as a CDNNew Zealand and the world as a CDN
New Zealand and the world as a CDN
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013
 
nanog
nanognanog
nanog
 
Unicast vs Anycast
Unicast vs AnycastUnicast vs Anycast
Unicast vs Anycast
 

Recently uploaded

Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

The curse of the open recursor

  • 1. Tom Paseka The curse of the Open Recursor Network Engineer tom@cloudflare.com
  • 2. Recursors Why? •  Exist to aggregate and cache queries •  Not every computer run its own recursive resolver. •  ISPs, Large Enterprises run these •  Query through the root servers and DNS tree to resolve domains •  Cache results •  Deliver cached results to clients. www.cloudflare.com 2
  • 3. Recursors The Problem! •  Example of DNS Based reflection attack from a Peer in Hong Kong. www.cloudflare.com 3
  • 4. Recursors Open / Unsecured Recursors ? •  DNS server set up for recursion •  ie. non-authoritative •  Will answer for zones it is not authoritative for •  Recursive lookups •  Will answer queries for anyone •  Some Public Services: 
 Google, OpenDNS, Level 3, etc. •  These are “special” set-ups and secured. www.cloudflare.com 4
  • 5. Recursors Say Again? •  There are hundreds of thousands of DNS Recursors. •  Many of these are not secured. •  Non secured DNS Recursors can and will be abused •  CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally. www.cloudflare.com 5
  • 6. What is a Reflection Attack?
  • 7. Reflection Attack •  UDP Query •  Spoofed source •  Using the address of the person you want to attack •  DNS Server used to attack the victim (sourced address) •  Amplification used •  Querying domains like ripe.net or isc.org •  ~64 byte query (from attacker) •  ~3233 byte reply (from unsecured DNS Server) •  50x amplification! •  Running an unsecured DNS server helps attackers! www.cloudflare.com 7
  • 8. Reflection Attack Attacker Attack Target ANY ANY ANY isc.org isc.org isc.org Large Large Large Large Large Large Reply Reply Reply Reply Reply Reply Unsecured DNS Unsecured DNS Recursors Recursors Large Large Large Reply Reply Reply Unsecured DNS www.cloudflare.com 8 Recursors
  • 9. Reflection Attack •  With 50x amplification: •  1Gbit uplink from attacker (eg: Dedicated Servers) •  50Gbit attack •  Enough to bring most services offline! •  Prevention is the best remedy. •  In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. •  At just 1Mbit each, that’s 80Gbit! •  1mbit of traffic may not be noticed by most operators. •  80Gbit at target is easily noticed! www.cloudflare.com 9
  • 10. Where are they coming from?
  • 11. Where are the open Recursors? • Nearly Everywhere! •  CloudFlare has seen DNS Reflected attack traffic from: •  27 out of 56 Economies in APNIC Region •  More attacks from higher populated economies. www.cloudflare.com 11
  • 12. Where are the open Recursors? www.cloudflare.com 12
  • 13. Where are the open Recursors? www.cloudflare.com 13
  • 14. Where are the open Recursors? www.cloudflare.com 14
  • 15. Where are the open Recursors? www.cloudflare.com 15
  • 16. Where are the open Recursors? www.cloudflare.com 16
  • 17. Where are the open Recursors? www.cloudflare.com 17
  • 18. Where are the open Recursors? Open Open Country   Country   Recursors   Recursors   Japan 4625 Bangladesh 103 China 3123 New Zealand 98 Taiwan 3074 Cambodia 13 South Korea 1410 Sri Lanka 7 India 1119 Nepal 7 Pakistan 1099 Mongolia 5 Australia 761 Laos 4 Thailand 656 Bhutan 2 Malaysia 529 New Caledonia 2 Hong Kong 435 Fiji 2 Indonesia 349 Maldives 2 Papua New Vietnam 342 Guinea 1 Philippines 151 Afghanistan 1 Singapore 118 www.cloudflare.com 18
  • 19. Where are the open Recursors? Some Networks: Open Country ASN Network Name Recursors TW 3462 HINET Data Communication Business Group 2416 CN 9394 CRNET CHINA RAILWAY Internet(CRNET) 1052 JP 4713 OCN NTT Communications Corporation 1044 PK 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 1030 CN 4134 CHINANET-BACKBONE No.31,Jin-rong Street 851 JP 2514 INFOSPHERE NTT PC Communications, Inc. 542 JP 17506 UCOM UCOM Corp. 378 www.cloudflare.com 19
  • 20. Where are the open Recursors? •  Where are they running? Mostly on Servers.
 ~11,000 Servers profiled from Asia-Pac Networks. ~7,500 BIND ~1600 unknown / undetermined ~900 Microsoft DNS Server ~500 dnsmasq ~200 ZyWALL DNS (a consumer internet router)
 
 www.cloudflare.com 20
  • 21. How to fix this?
  • 22. Fixing this? Preventative Measures! •  BCP-38 •  Source Filtering. •  You shouldn’t be able to spoof addresses. •  Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop •  Will also help stop other attack types •  (eg: Spoofed Syn Flood). www.cloudflare.com 22
  • 23. Fixing this? Preventative Measures! •  DNS Server Maintenance
 •  Secure the servers! •  Lock down recursion to your own IP addresses 
 •  Disable recursion •  If the servers only purpose is authoritative DNS, disable recursion •  Turn them off! •  Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. www.cloudflare.com 23
  • 24. Fixing this? Consumer Internet Routers / Modems •  Update firmware. •  Some older firmware has security bugs •  Allows administration from WAN (including DNS, SNMP) •  Does the feature need to be on? •  Make sure its set up properly www.cloudflare.com 24
  • 25. Fixing this? Information •  BCP-38: http://tools.ietf.org/html/bcp38
 •  BIND:
 http://www.team-cymru.org/Services/Resolvers/ instructions.html
 •  Microsoft: http://technet.microsoft.com/en-us/library/cc770432.aspx www.cloudflare.com 25