DNS Amplification attack?

Mark Andrews Mark_Andrews at isc.org
Tue Jan 20 19:28:49 CST 2009


In message <20090120233128.GI15562 at isc.org>, "David W. Hankins" writes:
> 
> --J+eNKFoVC4T1DV3f
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
> 
> On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
> > Anyone else noticing "." requests coming in to your DNS servers?
> >
> > http://isc.sans.org/diary.html?storyid=3D5713
> 
> I was surprised to see 'amplification' in the subject line here, since
> on my nameservers my replies are of equal length to the queries.  A
> little bit of asking around, and I see that it is an amplification
> attack, preying on old software.
> 
> Let me sum up;
> 
> If you're running 9.4 or later, you will reply to these packets with
> 45 octet RCODE:Refused replies.  1:1.  9.4 has an "allow-query-cache"
> directive that defaults to track allow-recursion, which you should
> have set appropriately.
> 
> If you're running 9.3 or earlier, you will reply to these queries
> "out of cache" (the root hints), and those replies can be 300-500
> octets I think.  1:6-11.
> 
> So in lieu of keeping a new up-to-date list of IP addresses to filter,
> as it expands and shrinks, you can greatly reduce your own footprint
> in these attacks with a quick upgrade.
> 
> --=20
> David W. Hankins	"If you don't do it right the first time,
> Software Engineer		     you'll just have to do it again."
> Internet Systems Consortium, Inc.		-- Jack T. Hankins
> 
> --J+eNKFoVC4T1DV3f
> Content-Type: application/pgp-signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> 
> iEYEARECAAYFAkl2XtAACgkQcXeLeWu2vmrR+wCePhZM2IrxV1mCKpnpsL6RDPIk
> KnoAnRyVJpYrlan65MYJF7LRJc8nXJuj
> =F1Dc
> -----END PGP SIGNATURE-----
> 
> --J+eNKFoVC4T1DV3f--
> 

Or better yet trace the query traffic back to the offending source
and implement BCP38 there.  If the source won't implement BCP38
then de-peer them.  It's time to take back the "commons".

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org




More information about the NANOG mailing list