On 01/31/2013 06:47 AM, James Davis wrote:
> We've been seeing an increasing number of reflected and amplified
> DNS attacks over the last year, some more sophisticated than what
> you've described.
>
> If the systems behind that port don't need to receive DNS traffic
> from everywhere then I suggest blocking the DNS responses as far as
> is possible. You can frequently get away with blocking just the
> handful of nameservers involved but if the attackers have some clue
> they'll be cycling them often and including authoritative servers
> for popular services.
There are more effective mitigation measures available, in particular I
would strongly recommend you have a look at:
http://www.redbarn.org/dns/ratelimits
For more information on this problem, and DNS rate-limiting patches
which are available for BIND and Unbound.
The real cure for this kind of problem is for ISPs to deploy BCP38, but
that's been pending for a decade or two now :-(
There's regular extensive discussion about DNS amplification attacks and
mitigation measures over on my dayjob mailing list:
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
(and more candid information sharing is available to OARC members...)
It is a serious and growing problem, not least as no-one has yet figured
out what malware or parties are behind these :-(
Keith
>> Just before 09:00 this morning we saw a 100 Mbps port saturated.
>> Upon investigation the traffic appears to be DNS responses to
>> requests that were never made.
>>
>> Over the following 5 minutes, we saw over 600,000 UDP DNS responses
>> originating from 20 different DNS servers. The servers all seem
>> to be genuine, authoritative servers.
>>
>> They were all targeted at a single server our side and the
>> destination ports on the targeted system included nearly pretty
>> much the whole range.
>>
>> Is this a known DDoS attack, it's a new one on me? Any
>> suggestions on how to deal it?
