nanog mailing list archives
Re: DNS Amplification attack?
From: David Coulthart <davec () columbia edu>
Date: Wed, 21 Jan 2009 08:45:22 -0500
On Jan 20, 2009, at 6:31 PM, David W. Hankins wrote:
On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:Anyone else noticing "." requests coming in to your DNS servers? http://isc.sans.org/diary.html?storyid=5713I was surprised to see 'amplification' in the subject line here, since on my nameservers my replies are of equal length to the queries. A little bit of asking around, and I see that it is an amplification attack, preying on old software. Let me sum up; If you're running 9.4 or later, you will reply to these packets with 45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache" directive that defaults to track allow-recursion, which you should have set appropriately.
After reading this thread, I decided it was prudent to test my authoritative nameservers & was surprised to discover I could retrieve cached records from my nameserver even though I have "recursion no;" in my options stanza in named.conf. Re-reading the ARM, I see that behavior is expected. But is there some reason not to set "allow- recursion { none; };" since I already have recursion disabled?
Thanks, Dave Coulthart
Current thread:
- DNS Amplification attack? Wil Schultz (Jan 20)
- Re: DNS Amplification attack? Raoul Bhatia [IPAX] (Jan 20)
- Re: DNS Amplification attack? David W. Hankins (Jan 20)
- Re: DNS Amplification attack? Mark Andrews (Jan 20)
- Re: DNS Amplification attack? David Coulthart (Jan 21)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Kameron Gasso (Jan 20)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? Stuart Henderson (Jan 21)
- Re: DNS Amplification attack? Christopher Morrow (Jan 20)
- <Possible follow-ups>
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)
- Re: DNS Amplification attack? jay (Jan 20)
- Re: DNS Amplification attack? Mark Andrews (Jan 20)
- Re: DNS Amplification attack? Chris Adams (Jan 20)