Mitigating DNS amplification attacks
Doug Barton
dougb at dougbarton.us
Wed May 1 20:01:59 UTC 2013
On 04/30/2013 05:28 PM, Thomas St-Pierre wrote:
> The large majority of the servers being used in the attacks are not
> open resolvers. Just DNS servers that are authoritative for a few
> domains, and the default config of the dns application does referrals
> to root for anything else.
It sounds like you're already aware that this is the default behavior
for an authoritative-only server, and while the referral to the roots is
a largeish response and has been used for amplification attacks, it's
also rather difficult to mitigate against.
A BIND server can be configured to not do that, but contacting each of
your customers about it might not have a good ROI. See
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
for more information.
Meanwhile, thank you very much for being proactive in this regard. Would
that more SPs were as net.responsible as you. :)
Doug
More information about the NANOG
mailing list