Home page logo
/

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: David Coulthart <davec () columbia edu>
Date: Wed, 21 Jan 2009 08:45:22 -0500

On Jan 20, 2009, at 6:31 PM, David W. Hankins wrote:
On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
Anyone else noticing "." requests coming in to your DNS servers?

http://isc.sans.org/diary.html?storyid=5713

I was surprised to see 'amplification' in the subject line here, since
on my nameservers my replies are of equal length to the queries.  A
little bit of asking around, and I see that it is an amplification
attack, preying on old software.

Let me sum up;

If you're running 9.4 or later, you will reply to these packets with
45 octet RCODE:Refused replies.  1:1.  9.4 has an "allow-query-cache"
directive that defaults to track allow-recursion, which you should
have set appropriately.

After reading this thread, I decided it was prudent to test my authoritative nameservers & was surprised to discover I could retrieve cached records from my nameserver even though I have "recursion no;" in my options stanza in named.conf. Re-reading the ARM, I see that behavior is expected. But is there some reason not to set "allow- recursion { none; };" since I already have recursion disabled?

Thanks,
Dave Coulthart


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault