[110899] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (Crist Clark)
Wed Jan 21 14:24:00 2009
Date: Wed, 21 Jan 2009 11:23:47 -0800
From: "Crist Clark" <Crist.Clark@globalstar.com>
To: "Mark Andrews" <Mark_Andrews@isc.org>
In-Reply-To: <200901210323.n0L3NWRf002868@drugs.dv.isc.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
>>> On 1/20/2009 at 7:23 PM, Mark Andrews <Mark_Andrews@isc.org> wrote:
> In message <20090121140825.xwdzd4p64kgwo4go@web1.nswh.com.au>,=20
> jay@miscreant.or=20
> g writes:
>> > On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists@visp.net>=
wro=3D
>> te:
>>=20
>> > We're also seeing a great number of these, but the idiots spoofing =
the
>> > queries are hitting several non-recursive nameservers we host - and =
only
>> > generating 59-byte "REFUSED" replies.
>> >
>> > Looks like they probably just grabbed a bunch of DNS hosts out of =
WHOIS
>> > and hoped that they were recursive resolvers.
>>=20
>> First post to this list, play nice :)
>>=20
>> Are you sure about this? I'm seeing these requests on /every/ =3D20
>> (unrelated) NS I have access to, which numbers several dozen, in =3D20
>> various countries across the world, and from various registries (.net, =
=3D20
>> .org, .com.au). The spread of servers I've checked is so random that =
=3D20
>> I'm wondering just how many NS records they've laid their hands on.
>>=20
>> I've also noticed that on a server running BIND 9.3.4-P1 with =3D20
>> recursion disabled, they're still appear to be getting the list of =
=3D20
>> root NS's from cache, which is a 272-byte response to a 61-byte =3D20
>> request, which by my definition is an amplification.
>=20
> BIND 9.3.4-P1 is past end-of-life.
>=20
> You need to properly set allow-query at both the option/view
> level and at the zone level to prevent retrieving answers
> from the cache in 9.3.x.
>=20
> option/view level "allow-query { trusted; };"
> zone level "allow-query { any; };"
>=20
> BIND 9.4.x and later have allow-query-cache make the
> configuration job easier. It also defaults to directly
> connected networks.
Another BIND-specific question since we're on the topic. I see
some of our authorative servers being hit with these spoofs, and
yes, the 9.3.5-P1 (that's what Sun supports in Solaris these
days) were sending back answers from the cache... but wait...
what cache?
The view the Internet gets only has our authorative zones. There
is no declaration for the root zone, master, slave, or hints.
How does BIND have the root cached in that view? Where did it
get it from? I guess it's hard coded somewhere?
Blocking this in the firewall. 1:0 amplification better than the
BIND fix, 1:1. But I'll get to the BIND fix anyway.
