Home page logo
/

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: Mark Andrews <Mark_Andrews () isc org>
Date: Wed, 21 Jan 2009 14:23:32 +1100


In message <20090121140825.xwdzd4p64kgwo4go () web1 nswh com au>, jay () miscreant or
g writes:
On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists () visp net> wro=
te:

We're also seeing a great number of these, but the idiots spoofing the
queries are hitting several non-recursive nameservers we host - and only
generating 59-byte "REFUSED" replies.

Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
and hoped that they were recursive resolvers.

First post to this list, play nice :)

Are you sure about this? I'm seeing these requests on /every/ =20
(unrelated) NS I have access to, which numbers several dozen, in =20
various countries across the world, and from various registries (.net, =20
.org, .com.au). The spread of servers I've checked is so random that =20
I'm wondering just how many NS records they've laid their hands on.

I've also noticed that on a server running BIND 9.3.4-P1 with =20
recursion disabled, they're still appear to be getting the list of =20
root NS's from cache, which is a 272-byte response to a 61-byte =20
request, which by my definition is an amplification.

        BIND 9.3.4-P1 is past end-of-life.

        You need to properly set allow-query at both the option/view
        level and at the zone level to prevent retrieving answers
        from the cache in 9.3.x.

                option/view level "allow-query { trusted; };"
                zone level "allow-query { any; };"

        BIND 9.4.x and later have allow-query-cache make the
        configuration job easier.  It also defaults to directly
        connected networks.

        Mark
 
Cheers,

Jay


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault