Juniper Openstack

Contrail vDNS: DNS DDOS exposure

Series trunk
Bug #1423813

Bug #1423813 reported by tom murray on 2015-02-20

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.20	Won't Fix	Medium	Nipa	Juniper Openstack r2.23 "r2.23"
R3.0	Won't Fix	Medium	Nipa	Juniper Openstack r3.0-fcs
R3.0.2.x	Won't Fix	Critical	Nipa	Juniper Openstack r3.0.2.1
R3.1	Won't Fix	Critical	Nipa	Juniper Openstack r3.1.1.0
Trunk	Fix Committed	Critical	Nipa	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"

Bug Description

This is with contrail 2.10/26

My customer reported today that the Contrail vDNS was exploited to be used as part of a DDOS attack on a external 3rd party. I do not have full details yet, but i suppose that this would follow something like the recursion exploit described here: http://www.watchguard.com/infocenter/editorial/41649.asp

We need to follow best practices for DNS configuration, for example following the recommendations described at https://www.us-cert.gov/sites/default/files/publications/DNS-recursion033006.pdf

Tags:

Revision history for this message

tom murray (tmurray-a) wrote on 2015-02-20:

Specifically, the /etc/contrail/dns/named.conf on the vDNS nodes has recursion set to "any"...this must be restricted!!!

options {
    directory "/etc/contrail/dns/";
    managed-keys-directory "/etc/contrail/dns/";
    empty-zones-enable no;
    pid-file "/etc/contrail/dns/named.pid";
    listen-on port 53 { any; };
    allow-query { any; };
    allow-recursion { any; };
    allow-query-cache { any; };
};

summary:

- DNS DDOS exposure
+ Contrail vDNS: DNS DDOS exposure

Revision history for this message

tom murray (tmurray-a) wrote on 2015-02-20:

suggest to see http://www.zytrax.com/books/dns/ch9/close.html

Hari Prasad Killi (haripk) on 2015-03-05

Changed in juniperopenstack:
assignee:	nobody → Hari Prasad Killi (haripk)

Hari Prasad Killi (haripk) on 2015-04-21

Changed in juniperopenstack:
importance:	Undecided → Medium

Ashish Ranjan (aranjan-n) on 2016-02-11

tags:	added: blocker
Changed in juniperopenstack:
milestone:	none → r3.0-fcs
information type:	Proprietary → Private Security

Ganesha HV (ganeshahv) on 2016-02-24

information type:

Private Security → Public

OpenContrail Admin (ci-admin-f) on 2016-02-26

tags:

added: releasenote

Revision history for this message

Nipa (nipak) wrote on 2016-02-27:

To avoid DDOS attacks, recursion can be disabled at global level in /etc/contrail/dns/contrail-named.conf and restarts the service.

1)/etc/contrail/dns/contrail-named.conf
  options {
     .....
     recursion { none } ;

}

2) service contrail-named restart

As the contrail implementation allows only authoratative views, it has all the records in the cache for the domain/sub domain it is responsible for. This will result in VMs not being able to reach the external world, but local learnt DNS records will be resolved.

Ashish Ranjan (aranjan-n) on 2016-06-03

tags:	removed: releasenote
tags:	added: releasenote

Revision history for this message

Nipa (nipak) wrote on 2016-06-10:

Any rogue queries even from an allowed-client i.e compute, can result in other queries being timeout, similar to a DDOS attack but from an allowed client.

Need to explore if "Response Rate Limiting" may be the way to rate limit queries and avoid DDOS attack both internally and externally.

https://ftp.isc.org/isc/bind/cur/9.9/doc/arm/Bv9ARM.ch06.html

Revision history for this message

Nipa (nipak) wrote on 2016-07-08:

RRL will avoid DDOS attacks, this config is not present in current named version, we need to upgrade named version.

Revision history for this message

Nipa (nipak) wrote on 2016-09-29:

DNS bind is updated to version: BIND 9.10.4-P2 <id:7658a94>, this by default has recursion depth is set to 7.

commit f0be25508bb078e55c1e771d75282172ef365ae4
Author: Hari <email address hidden>
Date: Tue Aug 30 12:24:12 2016 +0530

Use new bind version.

Change-Id: Id16ff19bcf345f0024aeff9a393bb5bab1c62948
partial-bug: #1617945

Revision history for this message

Nipa (nipak) wrote on 2016-09-29:

Also in addition if one wants recursion disabled, contrail-named-base.conf can be updated and named restarted.

commit 0ceda0a025d694f69c95f02363311a30dc10c1da
Author: Nipa Kumar <email address hidden>
Date: Tue Aug 16 17:16:38 2016 -0700

Support dynamic configuration update of named

An additional file contrail-named-base.conf will contain the base named configurtion
such as options stanza, key stanza, controls stanza and logging stanza.

All configs generated due to vdns configuration resulting in view stanza will be written
to contrail-named.conf

Before sending "reconfig" command to named, both the files will be merged
into contrail-named.conf

The above gives flexibility to user to update and apply changes without restarting
the dns daemon which generated the contrail-named.conf

An additional helper script(applynamedconfig.py) will merge the files and apply the
config(contrail-named-base.conf) to named daemon.

Change-Id: If6089189a1104f648d8d7d3f638c58f9883deb50
Closes-Bug:1605341

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.