DNS Amplification attack?

David W. Hankins David_Hankins at isc.org
Tue Jan 20 23:31:28 UTC 2009


On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
> Anyone else noticing "." requests coming in to your DNS servers?
>
> http://isc.sans.org/diary.html?storyid=5713

I was surprised to see 'amplification' in the subject line here, since
on my nameservers my replies are of equal length to the queries.  A
little bit of asking around, and I see that it is an amplification
attack, preying on old software.

Let me sum up;

If you're running 9.4 or later, you will reply to these packets with
45 octet RCODE:Refused replies.  1:1.  9.4 has an "allow-query-cache"
directive that defaults to track allow-recursion, which you should
have set appropriately.

If you're running 9.3 or earlier, you will reply to these queries
"out of cache" (the root hints), and those replies can be 300-500
octets I think.  1:6-11.

So in lieu of keeping a new up-to-date list of IP addresses to filter,
as it expands and shrinks, you can greatly reduce your own footprint
in these attacks with a quick upgrade.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090120/5905dbc1/attachment.sig>


More information about the NANOG mailing list