nanog mailing list archives
Re: Mitigating DNS amplification attacks
From: Doug Barton <dougb () dougbarton us>
Date: Wed, 01 May 2013 13:01:59 -0700
On 04/30/2013 05:28 PM, Thomas St-Pierre wrote:
The large majority of the servers being used in the attacks are not open resolvers. Just DNS servers that are authoritative for a few domains, and the default config of the dns application does referrals to root for anything else.
It sounds like you're already aware that this is the default behavior for an authoritative-only server, and while the referral to the roots is a largeish response and has been used for amplification attacks, it's also rather difficult to mitigate against.
A BIND server can be configured to not do that, but contacting each of your customers about it might not have a good ROI. See https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful for more information.
Meanwhile, thank you very much for being proactive in this regard. Would that more SPs were as net.responsible as you. :)
Doug
Current thread:
- Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- Re: Mitigating DNS amplification attacks Damian Menscher (Apr 30)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
- Re: Mitigating DNS amplification attacks Damian Menscher (Apr 30)
- Re: Mitigating DNS amplification attacks Doug Barton (May 01)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
- <Possible follow-ups>
- Re: Mitigating DNS amplification attacks Jared Mauch (Apr 30)
- Re: Mitigating DNS amplification attacks Jeff Wheeler (May 01)
- Re: Mitigating DNS amplification attacks Dobbins, Roland (May 01)
- Re: Mitigating DNS amplification attacks Alain Hebert (May 01)
- Re: Mitigating DNS amplification attacks Jeff Wheeler (May 01)