ESA-16: Eucalyptus Can Act As An Open DNS Resolver

Eucalyptus Security Advisory
Advisory ID: 
ESA-16
Severity Level: 
Moderate
Issue Date: 
2014-02-24
Last Updated: 
2014-03-11
Affected Products: 
Eucalyptus 3.3.0 to Eucalyptus 3.4.1

Overview

A security issue has been identified in the recursive DNS resolver implemented in Eucalyptus that affects publicly accessible Eucalyptus installations. An update is now available in 3.4.2 that resolves this issue. We advise updating all affected Eucalyptus installations as soon as possible.

Description

Eucalyptus implements a DNS service on the cloud controller (CLC) component to facilitate internal DNS lookups. An issue has been identified in the implementation of the recursive DNS resolver that could be exploited by external clients to participate in DNS amplification attacks, a type of distributed denial of service attack. This could also lead to denial of service to authorized clients. The issue affects all Eucalyptus installations where the CLC is publicly accessible and recursive DNS is enabled (see the dns.recursive.enabled property).

Workaround

Restricting network access to Eucalyptus DNS ports to internal clients only (if possible) resolves the issue. Please refer the Administration Guide at https://www.eucalyptus.com/docs for Eucalyptus open ports and connectivity rules.

In cases when it's not possible to limit network access to the DNS server to a set of trusted clients, a partial solution is to employ a blacklisting of known DNS offenders (e.g., from https://github.com/smurfmonitor) and to limit the rate of DNS requests to the CLC using a firewall. For example, the following rules limit DNS request rate using iptables:

# iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name DDOS --rsource 
# iptables -A INPUT -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 20 --name DDOS --rsource -j DROP

Solution

Eucalyptus 3.4.2 resolves the issue.

Please see https://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.

Contact and Help

Contact the Eucalyptus Security Team at security@eucalyptus.com.