nanog mailing list archives

Re: [c-nsp] DNS amplification

From: Steven Fischer <sfischer1967 () gmail com>
Date: Sat, 16 Mar 2013 19:40:16 -0400

yes - and it presumes your DNS servers are based on Linux and use IPTables.

http://www.cryptonizer.com/dnsamp.html

http://serverfault.com/questions/418810/public-facing-recursive-dns-servers-iptables-rules

http://sf-alpha.bjgang.org/wordpress/2013/01/iptables-for-common-dns-amplification-attack-on-recursive-dns-inside-your-network/

these should give you a good idea of how to get started...


On Sat, Mar 16, 2013 at 6:24 PM, Jon Lewis <jlewis () lewis org> wrote:

On Sat, 16 Mar 2013, Robert Joosten wrote:

 Hi,


 Can anyone provide insight into how to defeat DNS amplification attacks?

Restrict resolvers to your customer networks.


And deploy RPF

uRPF / BCP38 is really the only solution. Even if we did close all the
open recursion DNS servers (which is a good idea), the attackers would just
shift to another protocol/service that provides amplification of traffic
and can be aimed via spoofed source address packets. Going after DNS is
playing whack-a-mole. DNS is the hip one right now. It's not the only one
available.

Many networks will say "but our gear doesn't do uRPF, and maintaining an
ACL on every customer port is too hard / doesn't scale."

Consider an alternative solution. On a typical small ISP / small service
provider network, if you were to ACL every customer (because your gear
won't do uRPF), you might need hundreds or even thousands of ACLs. However,
if you were to put output filters on your transit connections, allowing
traffic sourced from all IP networks "valid" inside your network, you might
find that all you need is a single ACL of a handful to several dozen
entries. Having one ACL to maintain that only needs changing if you get a
new IP allocation or add/remove a customer who has their own IPs really
isn't all that difficult. As far at the rest of the internet is concerned,
this solves the issue of spoofed IP packets leaving your network.

------------------------------**------------------------------**----------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP public key_________



-- 
To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy

Current thread:

Re: [c-nsp] DNS amplification Jon Lewis (Mar 16)
- Re: [c-nsp] DNS amplification Steven Fischer (Mar 16)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
  - Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
    - Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
    - Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
    - Re: [c-nsp] DNS amplification Jared Mauch (Mar 18)
  - Re: [c-nsp] DNS amplification Jon Lewis (Mar 17)
    - Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
    - Re: [c-nsp] DNS amplification Damian Menscher (Mar 17)
    - Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
  - Re: [c-nsp] DNS amplification Masataka Ohta (Mar 17)

(Thread continues...)