A security issue has been identified in the recursive DNS resolver implemented in HP Helion Eucalyptus that affects publicly accessible HP Helion Eucalyptus installations. An update is now available in 3.4.2 that resolves this issue. We advise updating all affected HP Helion Eucalyptus installations as soon as possible.
HP Helion Eucalyptus implements a DNS service on the cloud controller (CLC) component to facilitate internal DNS lookups. An issue has been identified in the implementation of the recursive DNS resolver that could be exploited by external clients to participate in DNS amplification attacks, a type of distributed denial of service attack. This could also lead to denial of service to authorized clients. The issue affects all HP Helion Eucalyptus installations where the CLC is publicly accessible and recursive DNS is enabled (see the dns.recursive.enabled property).
Restricting network access to HP Helion Eucalyptus DNS ports to internal clients only (if possible) resolves the issue. Please refer the Administration Guide at https://www.eucalyptus.com/docs for HP Helion Eucalyptus open ports and connectivity rules.
In cases when it's not possible to limit network access to the DNS server to a set of trusted clients, a partial solution is to employ a blacklisting of known DNS offenders (e.g., from https://github.com/smurfmonitor) and to limit the rate of DNS requests to the CLC using a firewall. For example, the following rules limit DNS request rate using iptables:
# iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name DDOS --rsource # iptables -A INPUT -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 20 --name DDOS --rsource -j DROP
HP Helion Eucalyptus 3.4.2 resolves the issue.
Please see https://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest HP Helion Eucalyptus software.
Contact and help
Contact the HP Helion Eucalyptus security team at email@example.com.