Chris, Yes, many sites are seeing increasing "background noise" from Internet hosts repetitively submitting DNS queries, especially for ANY. Amplification attacks, or simply burning CPU cycles.
It's starting to look like per-client-IP rate-limiting features are necessary, with intelligent defaults, to ensure applications facing the Internet are protected out-of-the-box, while service providers and others with IT staff can adjust the settings where necessary. The current default settings for most applications to provide unlimited response to any IP address, especially for non-stateful protocols (e.g. UDP), is proving to be noisy. Where some customers haven't implemented rate-limiting within BIND, mitigation is available at the O/S and network layer. As an example, there are connection limits that can be enforced with iptables on Linux. Per-source-IP connection limits can also be restricted on Cisco ASA firewalls (and likely other vendor products). There is a patch available for rate-limiting inside BIND. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, December 17, 2012 2:27 PM To: [email protected] Cc: [email protected] Subject: Re: [dns-operations] DNS ANY requests from Amazon? > I'm seeing a bunch of DNS ANY requests to my authoritative servers > with Amazon EC2 source IPs. I guess somebody is now trying to run an > amplification attack against Amazon? Highly likely. > This is the first time I've seen Amazon targeted this way; are others > seeing this (am I just late to the party)? You're just late to the party. This has been going on for months. Steinar Haug, AS 2116 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
