Home page logo

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: Mark Andrews <Mark_Andrews () isc org>
Date: Wed, 21 Jan 2009 12:28:49 +1100

In message <20090120233128.GI15562 () isc org>, "David W. Hankins" writes:

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
Anyone else noticing "." requests coming in to your DNS servers?


I was surprised to see 'amplification' in the subject line here, since
on my nameservers my replies are of equal length to the queries.  A
little bit of asking around, and I see that it is an amplification
attack, preying on old software.

Let me sum up;

If you're running 9.4 or later, you will reply to these packets with
45 octet RCODE:Refused replies.  1:1.  9.4 has an "allow-query-cache"
directive that defaults to track allow-recursion, which you should
have set appropriately.

If you're running 9.3 or earlier, you will reply to these queries
"out of cache" (the root hints), and those replies can be 300-500
octets I think.  1:6-11.

So in lieu of keeping a new up-to-date list of IP addresses to filter,
as it expands and shrinks, you can greatly reduce your own footprint
in these attacks with a quick upgrade.

David W. Hankins      "If you don't do it right the first time,
Software Engineer                  you'll just have to do it again."
Internet Systems Consortium, Inc.             -- Jack T. Hankins

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v2.0.9 (GNU/Linux)



Or better yet trace the query traffic back to the offending source
and implement BCP38 there.  If the source won't implement BCP38
then de-peer them.  It's time to take back the "commons".


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]