A security issue has been identified in the recursive DNS resolver implemented in Eucalyptus that affects publicly accessible Eucalyptus installations. An update is now available in 3.4.2 that resolves this issue. We advise updating all affected Eucalyptus installations as soon as possible.
Eucalyptus implements a DNS service on the cloud controller (CLC) component to facilitate internal DNS lookups. An issue has been identified in the implementation of the recursive DNS resolver that could be exploited by external clients to participate in DNS amplification attacks, a type of distributed denial of service attack. This could also lead to denial of service to authorized clients. The issue affects all Eucalyptus installations where the CLC is publicly accessible and recursive DNS is enabled (see the dns.recursive.enabled property).
Restricting network access to Eucalyptus DNS ports to internal clients only (if possible) resolves the issue. Please refer the Administration Guide at https://www.eucalyptus.com/docs for Eucalyptus open ports and connectivity rules.
In cases when it's not possible to limit network access to the DNS server to a set of trusted clients, a partial solution is to employ a blacklisting of known DNS offenders (e.g., from https://github.com/smurfmonitor) and to limit the rate of DNS requests to the CLC using a firewall. For example, the following rules limit DNS request rate using iptables:
# iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name DDOS --rsource # iptables -A INPUT -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 20 --name DDOS --rsource -j DROP
Eucalyptus 3.4.2 resolves the issue.
Please see https://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
Contact and Help
Contact the Eucalyptus Security Team at email@example.com.