CloudFlare writes about closing open DNS resolvers. Open DNS resolvers are one of the sources of the biggest DDoS attacks.

Closing the open DNS resolvers

This has been a rough week in the security industry with big attacks and compromises reported at companies from Facebook to Apple. We’re therefore happy to end the week with some good news: the web’s open resolvers, one of the sources of the biggest DDoS attacks, are getting closed.


The problem stems from misconfigured DNS resolver software (e.g., BIND) that is setup to respond to a query from any IP address. Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim’s IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses.

Read the full article on CloudFlare’s blog: