[RndTbl] DNS Amplification DoS
Gilles Detillieux
grdetil at scrc.umanitoba.ca
Mon Sep 17 14:36:05 CDT 2012
My understanding is that open DNS servers that allow unrestricted
recursion are frowned upon these days, for the very reasons for which
you've expressed concern. I believe best practice nowadays is to
specify a limited set of subnets for which you allow recursion. For
example, at the U of M we'll typically include something like the
following in the "options" section of our named.conf files, to prevent
recursive lookups from outside users:
allow-recursion {
140.193.0.0/16;
130.179.0.0/16;
};
On 17/09/2012 2:16 PM, Paul Sierks wrote:
> I recently saw iftop showing a couple "connections" of ~200Kbps
> persistently on a box and because this wasn't the usual, I looked into
> it. Turns out it was caused by DNS lookups of type ANY ripe.net
> repeatedly. I can only assume this is an amplification attack. This
> box uses BIND 9.9.1-P3 is public facing and does recursive lookups
> (also authoritative). Now that that's out of the way, I'm
> looking/thinking of ways the prevent this obviously. This isn't
> causing a problem on a 100Mb link now but could get there quickly. As
> far as I know I don't have a lot of options, maybe iptables with some
> sort of limiting. ACLs would normally help, and would be perfect if I
> could get it to use a SQL database as the backend, and use that as a
> whitelist to at least mitigate the issue. If anyone has experience on
> the subject or an idea, it is much appreciated.
--
Gilles R. Detillieux E-mail: <grdetil at scrc.umanitoba.ca>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 0J9 (Canada)
More information about the Roundtable
mailing list