[111069] in North American Network Operators' Group
RE: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (David Zielezna)
Tue Jan 27 22:59:47 2009
Date: Wed, 28 Jan 2009 14:59:29 +1100
In-Reply-To: <497FD54B.9010601@ibctech.ca>
From: "David Zielezna" <David.Zielezna@acma.gov.au>
To: "Steve Bertrand" <steve@ibctech.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I'm checking just with a mix of tcpdump/pcap, bind logs and p0f. A bit
overboard, but logging is fun.
I haven't checked any dark hosts to see whether the attack repeatedly
sends queries to IPs which have never given an answer or indication of
any kind of life. Your monitoring will probably determine this so let
us know what behavior you find.
DZ
-----Original Message-----
=46rom: Steve Bertrand [mailto:steve@ibctech.ca]
Sent: Wednesday, 28 January 2009 2:47 PM
To: David Zielezna
Cc: John Martinez; nanog@nanog.org
Subject: Re: Tightened DNS security question re: DNS amplification
attacks. [SEC=3DUNCLASSIFIED]
Good work!
How are you checking for this by hand=3F
Would it be safe to assume that running tcpdump on a box in the
=66ollowing manner on a monitor port for a sizable portion of the network
be ok (as opposed to the DNS servers themselves, as I don't have control
over them all)=3F
sniffer# tcpdump -n -i em5 dst port 53 | grep "NS=3F . (17)"
22:38:31.150114 IP 64.57.246.146.43581 > 208.70.106.58.53: 23685+ NS=3F .
(17)
We have a mix of DNS servers, some BIND and some DJBDNS, a BIND ACL
won't work here. We also have single-homed clients that run accessible
DNS servers that appear to be Windows based.
ACL's outside of the BIND scope would be fantastic.
=46or now, I'm following the above list, and blocking everything ingress
that is not source port 53 from the IP to my network 53.
Steve
If you have received this email in error, please notify the sender =
immediately and erase all copies of the email and any attachments to it. Th=
e=
information contained in this email and any attachments may be private, =
confidential and legally privileged or the subject of copyright. If you are=
=
not the addressee it may be illegal to review, disclose, use, forward, or =
=
distribute this email and/or its contents.
=20
Unless otherwise specified, the information in the email and any attachment=
s=
is intended as a guide only and should not be relied upon as legal or =
technical advice or regarded as a substitute for legal or technical advice =
=
in individual cases. Opinions contained in this email or any of its =
attachments do not necessarily reflect the opinions of ACMA.
