[162791] in North American Network Operators' Group
Re: Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Doug Barton)
Wed May 1 16:02:08 2013
Date: Wed, 01 May 2013 13:01:59 -0700
From: Doug Barton <dougb@dougbarton.us>
To: nanog@nanog.org
In-Reply-To: <CDA5D62D.10DBD%tstpierre@iweb.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/30/2013 05:28 PM, Thomas St-Pierre wrote:
> The large majority of the servers being used in the attacks are not
> open resolvers. Just DNS servers that are authoritative for a few
> domains, and the default config of the dns application does referrals
> to root for anything else.
It sounds like you're already aware that this is the default behavior
for an authoritative-only server, and while the referral to the roots is
a largeish response and has been used for amplification attacks, it's
also rather difficult to mitigate against.
A BIND server can be configured to not do that, but contacting each of
your customers about it might not have a good ROI. See
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
for more information.
Meanwhile, thank you very much for being proactive in this regard. Would
that more SPs were as net.responsible as you. :)
Doug
