[110864] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Jan 20 22:23:52 2009
To: jay@miscreant.org
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Wed, 21 Jan 2009 14:08:25 +1100."
<20090121140825.xwdzd4p64kgwo4go@web1.nswh.com.au>
Date: Wed, 21 Jan 2009 14:23:32 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <20090121140825.xwdzd4p64kgwo4go@web1.nswh.com.au>, jay@miscreant.or
g writes:
> > On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists@visp.net> wro=
> te:
>
> > We're also seeing a great number of these, but the idiots spoofing the
> > queries are hitting several non-recursive nameservers we host - and only
> > generating 59-byte "REFUSED" replies.
> >
> > Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
> > and hoped that they were recursive resolvers.
>
> First post to this list, play nice :)
>
> Are you sure about this? I'm seeing these requests on /every/ =20
> (unrelated) NS I have access to, which numbers several dozen, in =20
> various countries across the world, and from various registries (.net, =20
> .org, .com.au). The spread of servers I've checked is so random that =20
> I'm wondering just how many NS records they've laid their hands on.
>
> I've also noticed that on a server running BIND 9.3.4-P1 with =20
> recursion disabled, they're still appear to be getting the list of =20
> root NS's from cache, which is a 272-byte response to a 61-byte =20
> request, which by my definition is an amplification.
BIND 9.3.4-P1 is past end-of-life.
You need to properly set allow-query at both the option/view
level and at the zone level to prevent retrieving answers
from the cache in 9.3.x.
option/view level "allow-query { trusted; };"
zone level "allow-query { any; };"
BIND 9.4.x and later have allow-query-cache make the
configuration job easier. It also defaults to directly
connected networks.
Mark
> Cheers,
>
> Jay
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
