A recent OpenSSL security vulnerability has come to light. It is strongly recommended that servers running the vulnerable versions of OpenSSL (1.0.1 and 1.0.2beta) be promptly updated.
For more information, refer to the official advisory: OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64KB of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected, including 1.0.1f and 1.0.2-beta1. Thanks to Neel Mehta of Google Security for finding this bug and to Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 is also fixed in 1.0.2-beta2.
An Open DNS Resolver is a DNS server that is configured to provide recursive DNS lookup services to any user on the internet.
DNS resolvers that allow requests from all IP addresses and are exposed to the internet can be vulnerable to attacks and may be used to conduct Denial of Service (DoS) attacks on behalf of malicious actors. This essentially turns your server into an unwitting facilitator for large-scale attacks. A common form of such an attack is the Distributed Denial of Service (DDoS) through a DNS amplification attack.
In this attack method, the attacker sends a DNS name lookup request to an open DNS server by spoofing (or faking) the source IP address of the DNS request. As a result, the response is not sent back to the computer that initiated the request but is directed to the victim.
The open DNS resolver, failing to verify the query IP address, forwards a large DNS cache file to the victim’s IP address. The attack persists as long as the attacker continues to send fake queries. This is termed “amplification” because the spoofed requests demand all available information about the requested DNS zone, resulting in a response that is 10 to 20 times larger in size. As a result, a significant amount of traffic is generated with minimal effort.
Checking for an Open Resolver:
You can perform a simple test from your command shell.
dig +short test.openresolver.com TXT @your-vps-ip-address
If it’s open, the response will show “open-resolver-detected.”
How to Close an Open DNS Resolver:
1. One method is to restrict incoming DNS queries using a firewall.
2. If you run an authoritative-only name server:
Open your DNS server’s main configuration file with a text editor (this example assumes you are using BIND).
vi /etc/named.conf
Add the following lines to disable recursion.
options
allow-query-cache none;
recursion no;
;
Then restart the name server:
/etc/init.d/named restart