| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 03 Apr 2006 19:12:31 -0400 From: Jim Pingle <jim@...isp.com> To: "Geo." <geoincidents@....net> Cc: bugtraq@...urityfocus.com Subject: Re: recursive DNS servers DDoS as a growing DDoS problem Geo. wrote: >> What is stopping you from running your own local DNS server? > > What is stopping you from running your own SMTP server? A port 25 block? > Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers > popping up every day do you not think it likely that they will resort to the > same techniques they used for smtp? > > Granted a port 53 inbound block would make more sense for the current > example but just like bots started running their own SMTP engines I see the > dns flood model changing to fit the new landscape. We have done just this (block inbound udp/53) to certain subnets due to a rash of CPEs that happily proxy DNS, including recursive queries, from their WAN side. They DoS their own circuits more effectively than the intended DoS targets. Ingress/Egress filtering did not help because the traffic coming to the name server was not spoofed to appear like it was coming from our network, it really was. The attack reflected off of the routers and because they were local to our name servers, they got replies to the recursive queries despite our rejecting them from outside our network. And of course once it was cached, it was open for public queries. Broken/misconfigured/buggy routers appear to look just like open DNS servers, and are likely to be much higher in numbers. Jim
Powered by blists - more mailing lists