yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #41311
[Bug 1501206] Re: router:dhcp ports are open resolvers
Alright, removing the security class and closing the OSSA task.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1501206
Title:
router:dhcp ports are open resolvers
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When configuring an public IPv4 subnet with DHCP enabled inside
Neutron (and attaching it to an Internet-connected router), the DNS
recursive resolver service provided by dnsmasq inside the qdhcp
network namespace will respond to DNS queries from the entire
Internet. This is a huge problem from a security standpoint, as open
resolvers are very likely to be abused for DDoS purposes. This does
not only cause significant damage to third parties (i.e., the true
destination of the DDoS attack and every network in between), but also
on the local network or servers (due to saturation of all the
available network bandwidth and/or the processing capacity of the node
running the dnsmasq instance). Quoting from
http://openresolverproject.org/:
«Open Resolvers pose a significant threat to the global network
infrastructure by answering recursive queries for hosts outside of its
domain. They are utilized in DNS Amplification attacks and pose a
similar threat as those from Smurf attacks commonly seen in the late
1990s.
[...]
What can I do?
If you operate a DNS server, please check the settings.
Recursive servers should be restricted to your enterprise or customer
IP ranges to prevent abuse. Directions on securing BIND and Microsoft
nameservers can be found on the Team CYMRU Website - If you operate
BIND, you can deploy the TCP-ANY patch»
It seems reasonable to expect that the dnsmasq instance within Neutron
would only respond to DNS queries from the subnet prefixes it is
associated with and ignore all others.
Note that this only occurs for IPv4. That is however likely just a
symptom of bug #1499170, which breaks all IPv6 DNS queries (external
as well as internal). I would assume that when bug #1499170 is fixed,
the router:dhcp ports will immediately start being open resolvers over
IPv6 too.
For what it's worth, the reason I noticed this issue in the first
place was that NorCERT (the national Norwegian Computer Emergency
Response Team - http://www.cert.no/) got in touch with us, notifying
us about the open resolvers they had observed in our network and
insisted that we lock them down ASAP. It only took NorCERT couple of
days after the subnet was first created to do so.
Tore
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1501206/+subscriptions