Re: recursive DNS servers DDoS as a growing DDoS problem

[gboyce <gboyce () badbelly com>]

On Sun, 26 Mar 2006, Geo. wrote:

> > Spoofing is indeed the attack vector and it can also be utilized for
> > NTP, ICMP, etc. It is to blame.
> >
> > Still, DNS is what's being exploited and in my opinion a broken feature
> > being exploited needs fixing, or it will be exploited.
>
> What feature of DNS is being exploited, UDP or the fact that there are a lot
> of dns servers you can use?
>
> If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
> servers that it is allowed to use and these bots are on the local subnet (ie
> BCP38 is implimented at the gateway but not at every router) then how
> exactly is locking down recursive servers so you can only use yours going to
> solve anything?

Right now you don't need the 20,000 bot botnet.  You can find plenty of 
recursive nameservers to send large responses to your victim.  Even if we 
moved to a state where a 20,000 bot botnet could take you down, that's 
still better than anyone on a cable modem can take you down.

However, properly fixed the 20,000 bot botnet isn't able to perform this 
sort of attack unless all 20,000 bots are on your ISPs network.

Each bot has 2 nameservers.  Properly configured, those nameservers should 
only send responses to the customers of the ISP in question (this would 
require dns server changes, not firewall rules blocking the requests).

If the victim of the attack is not on the list of allowed clients, then 
the bot would send the request to its own nameservers, and the nameservers 
would refuse to respond since the victim is not an allowed IP.

Greg