Page tree
Skip to end of metadata
Go to start of metadata

HP Helion Eucalyptus Can Act as an Open DNS Resolver



HP Helion Eucalyptus Can Act as an Open DNS Resolver

Severity LevelMODERATE
Issue Date2014-02-24
Last Updated2014-03-11
Affected ProductsHP Helion Eucalyptus 3.3.0 to HP Helion Eucalyptus 3.4.1
CVE NumberCVE-2013-4769




A security issue has been identified in the recursive DNS resolver implemented in HP Helion Eucalyptus that affects publicly accessible HP Helion Eucalyptus installations. An update is now available in 3.4.2 that resolves this issue. We advise updating all affected HP Helion Eucalyptus installations as soon as possible.


HP Helion Eucalyptus implements a DNS service on the cloud controller (CLC) component to facilitate internal DNS lookups. An issue has been identified in the implementation of the recursive DNS resolver that could be exploited by external clients to participate in DNS amplification attacks, a type of distributed denial of service attack. This could also lead to denial of service to authorized clients. The issue affects all HP Helion Eucalyptus installations where the CLC is publicly accessible and recursive DNS is enabled (see the dns.recursive.enabled property).


Restricting network access to HP Helion Eucalyptus DNS ports to internal clients only (if possible) resolves the issue. Please refer the Administration Guide at for HP Helion Eucalyptus open ports and connectivity rules.

In cases when it's not possible to limit network access to the DNS server to a set of trusted clients, a partial solution is to employ a blacklisting of known DNS offenders (e.g., from and to limit the rate of DNS requests to the CLC using a firewall. For example, the following rules limit DNS request rate using iptables:

# iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name DDOS --rsource 
# iptables -A INPUT -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 20 --name DDOS --rsource -j DROP


HP Helion Eucalyptus 3.4.2 resolves the issue.

Please see for instructions on downloading and upgrading to the latest HP Helion Eucalyptus software.

Contact and help

Contact the HP Helion Eucalyptus security team at