yahoo-eng-team team mailing list archive

[OpenStack Infra <1501206@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/333829
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0fce3ca2c1641fbcfb8327a86d7225e2c3972263
Submitter: Zuul
Branch:    master

commit 0fce3ca2c1641fbcfb8327a86d7225e2c3972263
Author: Jens Harbott <j.harbott@xxxxxxxx>
Date:   Mon Oct 29 17:08:33 2018 +0000

    Secure dnsmasq process against external abuse
    
    Currently any dhcp agent instance will work as an open resolver. For
    deployments using publicly routed addresses for tenant networks, this
    allows the agent being abused in dDoS attacks, see [1].
    
    By setting the `--local-service` option dnsmasq will filter DNS queries
    and reply only to queries from directly attached networks.
    
    [1] https://bugs.launchpad.net/neutron/+bug/1501206
    
    Closes-Bug: 1501206
    Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1501206

Title:
  router:dhcp ports are open resolvers

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in neutron package in Ubuntu:
  Confirmed

Bug description:
  When configuring an public IPv4 subnet with DHCP enabled inside
  Neutron (and attaching it to an Internet-connected router), the DNS
  recursive resolver service provided by dnsmasq inside the qdhcp
  network namespace will respond to DNS queries from the entire
  Internet. This is a huge problem from a security standpoint, as open
  resolvers are very likely to be abused for DDoS purposes. This does
  not only cause significant damage to third parties (i.e., the true
  destination of the DDoS attack and every network in between), but also
  on the local network or servers (due to saturation of all the
  available network bandwidth and/or the processing capacity of the node
  running the dnsmasq instance). Quoting from
  http://openresolverproject.org/:

  «Open Resolvers pose a significant threat to the global network
  infrastructure by answering recursive queries for hosts outside of its
  domain. They are utilized in DNS Amplification attacks and pose a
  similar threat as those from Smurf attacks commonly seen in the late
  1990s.

  [...]

  What can I do?

  If you operate a DNS server, please check the settings.

  Recursive servers should be restricted to your enterprise or customer
  IP ranges to prevent abuse. Directions on securing BIND and Microsoft
  nameservers can be found on the Team CYMRU Website - If you operate
  BIND, you can deploy the TCP-ANY patch»

  It seems reasonable to expect that the dnsmasq instance within Neutron
  would only respond to DNS queries from the subnet prefixes it is
  associated with and ignore all others.

  Note that this only occurs for IPv4. That is however likely just a
  symptom of bug #1499170, which breaks all IPv6 DNS queries (external
  as well as internal). I would assume that when bug #1499170 is fixed,
  the router:dhcp ports will immediately start being open resolvers over
  IPv6 too.

  For what it's worth, the reason I noticed this issue in the first
  place was that NorCERT (the national Norwegian Computer Emergency
  Response Team - http://www.cert.no/) got in touch with us, notifying
  us about the open resolvers they had observed in our network and
  insisted that we lock them down ASAP. It only took NorCERT couple of
  days after the subnet was first created to do so.

  Tore

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1501206/+subscriptions