Re: recursive DNS servers DDoS as a growing DDoS problem
- From: Jim Pingle <jim@xxxxxxxxxx>
- Date: Mon, 03 Apr 2006 19:12:31 -0400
Geo. wrote:
What is stopping you from running your own local DNS server?
What is stopping you from running your own SMTP server? A port 25 block?
Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers
popping up every day do you not think it likely that they will resort to the
same techniques they used for smtp?
Granted a port 53 inbound block would make more sense for the current
example but just like bots started running their own SMTP engines I see the
dns flood model changing to fit the new landscape.
We have done just this (block inbound udp/53) to certain subnets due to a
rash of CPEs that happily proxy DNS, including recursive queries, from their
WAN side. They DoS their own circuits more effectively than the intended DoS
targets.
Ingress/Egress filtering did not help because the traffic coming to the name
server was not spoofed to appear like it was coming from our network, it
really was. The attack reflected off of the routers and because they were
local to our name servers, they got replies to the recursive queries despite
our rejecting them from outside our network. And of course once it was
cached, it was open for public queries.
Broken/misconfigured/buggy routers appear to look just like open DNS
servers, and are likely to be much higher in numbers.
Jim
- Follow-Ups:
- Re: recursive DNS servers DDoS as a growing DDoS problem
- From: Erwan David
- RE: recursive DNS servers DDoS as a growing DDoS problem
- From: Geo.
- Re: recursive DNS servers DDoS as a growing DDoS problem
- References:
- Prev by Date: [SECURITY] [DSA 1022-1] New storebackup packages fix several vulnerabilities
- Next by Date: Re: recursive DNS servers DDoS as a growing DDoS problem
- Previous by thread: RE: recursive DNS servers DDoS as a growing DDoS problem
- Next by thread: RE: recursive DNS servers DDoS as a growing DDoS problem
- Index(es):
Relevant Pages
|
