RE: how to defense against ddos attack to dns?
Hello, I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/) this program generates (1) lots of queries (2) queried domains are randomly (3) source ip can be spoofed to the destination. below is an example(192.168.198.17 is victim) 07:09:11.658811 IP 167.187.119.211.4500 192.168.198.17.domain: 2+ A? www.aocddv.biz. (32)07:09:11.775809 IP 206.140.182.86.1233 192.168.198.17.domain: 2+ A? www.bvthus.org. (32)07:09:11.891780 IP 157.160.17.164.3454 192.168.198.17.domain: 2+ A? www.oftinx.net. (32)07:09:12.008021 IP 27.71.230.67.56566 192.168.198.17.domain: 2+ A? www.nnqsts.net. (32)07:09:12.123998 IP 202.193.203.54.1320 192.168.198.17.domain: 2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 217.53.229.167.22211 192.168.198.17.domain: 2+ A? www.ahnxuj.biz. (32)07:09:12.357514 IP 208.133.39.51.435435 192.168.198.17.domain: 2+ A? www.sdhvmu.org. (32)07:09:12.472896 IP 80.168.228.221.5464 192.168.198.17.domain: 2+ A? www.juewou.com. (32)07:09:12.705161 IP 217.198.77.156.1223 192.168.198.17.domain: 2+ A? www.vgxaex.org. (32) My question is if so lots of queries are like above, how can I defense the attack?I think that just denying the recursion is not sufficient. Please share your experiences and opinions. Thanks. To: chulm...@hotmail.com CC: bind-us...@isc.org From: ma...@isc.org Subject: Re: how to defense against ddos attack to dns? Date: Tue, 17 Nov 2009 12:19:53 +1100 In message blu149-w13ef74e1e2eba2fe9dd3f385...@phx.gbl, MontyRee writes: Hello, all. I have operated some dns servers and I'm curious what should I do if ddos attck to my dns servers. So do you know how to defense against dns dddos attack like root server? Surely, various ddos attack may be occurred. My idea is.. -. filtering 53/udp traffic that the byte is over 512 byte -. rate-limit against 53/udp queries (but useless if the attack spoof the source ip) -. deny recursion -. anycast? Is ther any comments or proposal? How you defend against a DoS attack depends on the actual attack and what services you are attempting to provide and to whom. You want to minimise collateral damage and some of the methods above are likely to introduce collateral damage. Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _ 새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기. http://windows.microsoft.com/shop ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to defense against ddos attack to dns?
Basically, you have to have a big enough server/cluster of servers, to absorb an attack. No real defense from distributed dos. 2009/11/16 MontyRee chulm...@hotmail.com: Hello, all. I have operated some dns servers and I'm curious what should I do if ddos attck to my dns servers. So do you know how to defense against dns dddos attack like root server? Surely, various ddos attack may be occurred. My idea is.. -. filtering 53/udp traffic that the byte is over 512 byte -. rate-limit against 53/udp queries (but useless if the attack spoof the source ip) -. deny recursion -. anycast? Is ther any comments or proposal? Thanks in advance. _ 새로운 Windows 7: 일상 작업을 단순화하세요. 여러분에게 맞는 최상의 PC를 찾으세요. http://windows.microsoft.com/shop ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to defense against ddos attack to dns?
Hello, all. I have operated some dns servers and I'm curious what should I do if ddos attck to my dns servers. So do you know how to defense against dns dddos attack like root server? Surely, various ddos attack may be occurred. My idea is.. -. filtering 53/udp traffic that the byte is over 512 byte -. rate-limit against 53/udp queries (but useless if the attack spoof the source ip) -. deny recursion -. anycast? Is ther any comments or proposal? Thanks in advance. _ 새로운 Windows 7: 일상 작업을 단순화하세요. 여러분에게 맞는 최상의 PC를 찾으세요. http://windows.microsoft.com/shop ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to defense against ddos attack to dns?
In message blu149-w13ef74e1e2eba2fe9dd3f385...@phx.gbl, MontyRee writes: Hello, all. I have operated some dns servers and I'm curious what should I do if ddos attck to my dns servers. So do you know how to defense against dns dddos attack like root server? Surely, various ddos attack may be occurred. My idea is.. -. filtering 53/udp traffic that the byte is over 512 byte -. rate-limit against 53/udp queries (but useless if the attack spoof the source ip) -. deny recursion -. anycast? Is ther any comments or proposal? How you defend against a DoS attack depends on the actual attack and what services you are attempting to provide and to whom. You want to minimise collateral damage and some of the methods above are likely to introduce collateral damage. Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
