CERT-FI, the Finnish national computer emergency response team, reports that US DNS service provider UltraDNS intends to send a DNS query to every public IP address in existence.
The query will be a so-called reverse lookup, asking for the PTR record of the client’s IP address. If such a query is successful, the target system is an open recursive DNS server that therefore can be used as an intermediate for launching distributed denial of service attacks.
Making Finnish case law, Finland’s Supreme Court in 2002 upheld a conviction against a defendant who had scanned the network of a Finnish bank in order to find open proxies. Based on Finland’s penal code, the defendant was sentenced to a fine for computer break-in. He was also ordered to pay damages to the bank.
External links:
- “Internetin DNS-palvelimia kartoitetaan” (CERT-FI)
- KKO:2003:36 (Finland’s Supreme Court)
2 Comments
Folks,
It is my duty to let you know that the original CERT-FI blog article included an unfortunate error: The query is NOT for a PTR record rather than a special A record. Forward-lookup, that is. The query source address in turn should resolve to a clueful name hinting about the intent of the project.
We issued a new blog entry stating our original mistake (only in Finnish):
http://www.cert.fi/tietoturvanyt/2007/04/P_17.html
Let me apologise for the mishap. We try to be more observant in the future.
The main point, however is that a large population of misconfigured (open) resolvers servers pose a clear and present danger to the Internet. Every effort to find and help configure/patch them is warmly welcomed. For more information please refer to e.g.:
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
http://www.auscert.org.au/render.html?it=80
http://www.cert-in.org.in/training/1stmay06/dotIN-DNS-DDoS.pdf
http://www.cymru.com/Documents/secure-bind-template.html
http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
Thor, I’m not quite sure why you brought the Finnish Supreme Court ruling into the discussion as UltraDNS obviously is not mapping the servers with malicious intent. I for one wouldn’t make such a claim.
Best Regards,
Erka Koivunen
Head of CERT-FI
Erka,
Thank you for your comments. They are highly appreciated.
The targets of the planned scan would apparently be situated in a vast number of different jurisdictions around the globe. In such a context, the Finnish precedent is only a faint background image. My main purpose was to illustrate that a port scan may be viewed very seriously not only by its target organization, but also in a court of law.
Although your team is doing the sysadmin community an important favor by sharing information about the event to be, some administrators may still consider the scan hostile. Perhaps they will not have heard about it beforehand, or perhaps they will hold that as a matter of principle and consistence, nobody has any business probing their networks, whatever the stated reason.
You probably remember that in the days when open SMTP relays were a similar, substantial issue, *bulk* probing for such relays was considered quite controversial.
At any rate, I could not agree more with you that open DNS servers pose a very significant threat of continued denial of service attacks by proxy. Let’s continue to spread the word of warning.
Best regards, and may you have a happy Vappu,
Thor
Post a Comment