DNS deluge for x.p.ctrc.cc

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sat Feb 25 08:41:01 UTC 2006 

> ] other cctld servers have seen what are effectively ddos.  rob thomas
> ] seems to have the most clue on this, so i hope this troll will entice
> ] him to speak.
> 
> Did someone say "troll?"  :)
> 
> Yes, this is a real problem.  These attacks have exceeded several
> gigabits per second in size, and during one attack 122K DNS name
> servers were abused as amplifiers.  Ouch!
> 
> This abuse can be mitigated.  Here are a few tips.

	<there has -GOT- to be a better name for this>

> Limit recursion to trusted netblocks and customers.  Do not permit
> your name servers to provide recursion for the world.  If you do,
> you will contribute to one of these attacks.

	<recursion is a fundamental DNS design feature,
	 restricting it to "walled gardens" cripples its usefullness>

> Watch for queries to your name servers that ask for "ANY" related
> to a DNS RR outside of the zones for which you are authoritative.
> This DNS RR will be LARGE.

	<a valid concern, w/ the following caveat:  LARGE, relative
	 to current traffic>

> Limit UDP queries to 512 bytes.  This greatly decreases the
> amplification affect, though it doesn't stop it.

	<limiting UDP to 512 has other, unwanted effects,
	 edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
	 is this really what is wanted?>

> Scan your IP space for name servers that permit recursive queries.
> It's amazing just how many of these name servers exist.

	<yup... again, a feature that has made the DNS as useful as
	it has become>
> 
> Refer to the following guides for some excellent insight and
> suggestions.
> 
>    <http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf>
>    <http://cc.uoregon.edu/cnews/winter2006/recursive.htm>
>    <http://dns.measurement-factory.com/surveys/sum1.html>
> 
> Note we have our own Secure BIND Template which will help on the
> BIND side of life.
> 
>    <http://www.cymru.com/Documents/secure-bind-template.html>
> 
> If you need assistance with any of this, have endured one of these
> attacks, or have any other questions, please don't hesitate to ping
> on us at team-cymru at cymru.com.  We're here to assist!
> 
> Thanks!
> Rob.
> -- 
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);

	ok, so i'm being a bit of a curmudgion here but just how,
	if we throttle DNS to the minimum suite for todays services,
	can we be expected to add new features/services?   grump grump grump...

-- (grumpy) bill

More information about the NANOG mailing list