nanog mailing list archives
Re: DNS Amplification attack?
From: Mark Andrews <Mark_Andrews () isc org>
Date: Wed, 21 Jan 2009 12:28:49 +1100
In message <20090120233128.GI15562 () isc org>, "David W. Hankins" writes:
--J+eNKFoVC4T1DV3f Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:Anyone else noticing "." requests coming in to your DNS servers? http://isc.sans.org/diary.html?storyid=3D5713I was surprised to see 'amplification' in the subject line here, since on my nameservers my replies are of equal length to the queries. A little bit of asking around, and I see that it is an amplification attack, preying on old software. Let me sum up; If you're running 9.4 or later, you will reply to these packets with 45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache" directive that defaults to track allow-recursion, which you should have set appropriately. If you're running 9.3 or earlier, you will reply to these queries "out of cache" (the root hints), and those replies can be 300-500 octets I think. 1:6-11. So in lieu of keeping a new up-to-date list of IP addresses to filter, as it expands and shrinks, you can greatly reduce your own footprint in these attacks with a quick upgrade. --=20 David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins --J+eNKFoVC4T1DV3f Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkl2XtAACgkQcXeLeWu2vmrR+wCePhZM2IrxV1mCKpnpsL6RDPIk KnoAnRyVJpYrlan65MYJF7LRJc8nXJuj =F1Dc -----END PGP SIGNATURE----- --J+eNKFoVC4T1DV3f--
Or better yet trace the query traffic back to the offending source and implement BCP38 there. If the source won't implement BCP38 then de-peer them. It's time to take back the "commons". Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org
Current thread:
- DNS Amplification attack? Wil Schultz (Jan 20)
- Re: DNS Amplification attack? Raoul Bhatia [IPAX] (Jan 20)
- Re: DNS Amplification attack? David W. Hankins (Jan 20)
- Re: DNS Amplification attack? Mark Andrews (Jan 20)
- Re: DNS Amplification attack? David Coulthart (Jan 21)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? Stuart Henderson (Jan 21)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- <Possible follow-ups>
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)