Monday, December 6, 2010

Is Amazon new DNS service a wise move?

Amazon announced the new DNS hosting service (Amazon Route 53) in the cloud today. The link with more details about the service is here.
The service is similar to others, except there is one one important security concern for me - billing per usage, as is the case with many other Amazon cloud services. More precisely, 50c per million queries up to 1 billion and then it drops to 25c per million queries.

What I feel is that this model might not be very safe for Amazon customers. It may open an avenue for someone malicious to make them pay for something they have benefited from. Let me explain.

The reason lies in the nature of DNS and the network protocol it uses, which is UDP. UDP protocol has not security controls built in and it is very easy to spoof UDP packets. By creating a packet where the source IP address belongs to someone else. As the DNS is stateless (only one query and one response) the DNS server simply send the response to the original source IP address. By doing so, millions of packets can be sent by malicious persons in relatively short time and be unrecognisable from those sent by company's customers.

Let's take my broadband connection for example - 50Mbps down and 5Mpbs up. If I assume a typical IP packet with a DNS query is around 50 Bytes I can send approx. 12,000 DNS queries per second, theoretically. Let's lower it it to 10,000 to be on the safe side. To hit a million of queries should take me around 100s (close to 2 minutes to approximate again). That means that every 2 minutes can cost a company using Amazon DNS service 50c (and that is just using one computer behind a cable modem!).

Now imagine  a DDoS attack if someone wants your company to bleed cash. Let's assume I want your company to pay for DNS $1000 per month. I need to generate 3 billion DNS packets. That will take me approx 85 hours using just my Mac; easily done in few hours with many PCs hosting remotely controlled malware!

Of course, Amazon could put in place some kind of DDoS protection. Or could they? DSN packets can be spoofed and there is no way to tell the difference from the legitimate customers. Another option is for a company to restrict how many queries they want to limit per month, but that could easily be used by criminals to reach the limit quickly and starve legitimate customers of DNS data.

In short, I would stay far away from Amazon DNS service in the current offering, unless they update the pricing model to offer "all you can eat" DNS service.


  1. Thanks for doing the math on that - I hope they address that flaw soon because I was about ready to jump ship to their service.

  2. Almost all major internet providers will drop packets that have a source IP outside their range. This would limit an attacker to the subnets the gateway they are using expects.

    The internet is not nearly as trusting as it used to be.