[110848] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (David W. Hankins)
Tue Jan 20 18:30:05 2009
Date: Tue, 20 Jan 2009 15:31:28 -0800
From: "David W. Hankins" <David_Hankins@isc.org>
To: nanog@nanog.org
In-Reply-To: <86A39458-2A2B-45D7-8968-811AAFF422A8@bsdboy.com>
Errors-To: nanog-bounces@nanog.org
--J+eNKFoVC4T1DV3f
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
> Anyone else noticing "." requests coming in to your DNS servers?
>
> http://isc.sans.org/diary.html?storyid=3D5713
I was surprised to see 'amplification' in the subject line here, since
on my nameservers my replies are of equal length to the queries. A
little bit of asking around, and I see that it is an amplification
attack, preying on old software.
Let me sum up;
If you're running 9.4 or later, you will reply to these packets with
45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache"
directive that defaults to track allow-recursion, which you should
have set appropriately.
If you're running 9.3 or earlier, you will reply to these queries
"out of cache" (the root hints), and those replies can be 300-500
octets I think. 1:6-11.
So in lieu of keeping a new up-to-date list of IP addresses to filter,
as it expands and shrinks, you can greatly reduce your own footprint
in these attacks with a quick upgrade.
--=20
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
--J+eNKFoVC4T1DV3f
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkl2XtAACgkQcXeLeWu2vmrR+wCePhZM2IrxV1mCKpnpsL6RDPIk
KnoAnRyVJpYrlan65MYJF7LRJc8nXJuj
=F1Dc
-----END PGP SIGNATURE-----
--J+eNKFoVC4T1DV3f--
