A new report from Nominum claims that more than 24 million home routers on the Internet have open DNS proxies which expose ISPs to DNS-based Denial of Service attacks. It goes on to say that in February 2014, 5.3M of these routers were in fact used to attack, and that in January 2014, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification.
Denial of Service attacks are ones in which an attacker attempts to shut down a service on the internet by flooding it with more data and requests than it can handle. Given enough requests, most servers will crash under the burden. These attacks can be used for mischief, revenge, or even to disturb a competitor. In order to run such an attack though, the attacker needs access to a large number of computers under his control in order to send all of the traffic. This is typically handled by botnets or large networks of computers that are infected with a virus and under the ultimate control of an attacker. The fact that these computers are typically scattered around the world make this attack very difficult to stop.
One type of Denial of Service attack is called DNS Amplification, and it’s explained well in this video from Team Cymru. The attack relies on the existence of DNS resolvers, or computers that speak the DNS protocol, and are open for anyone to use. Through the use of some simple tricks an attacker is able to take advantage of these resolvers and amplify the affect of his attack. The Nominum research points to the fact that many home-based routers can be used as unknowing pawns in this entire scheme.
This of course begs the question: Why are there internet-facing open DNS resolvers running on peoples home routers? The unfortunate answer, which is a common answer, is that it simply points to the generally poor way that home based routers are built and configured.