[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4431ABDF.3020005@hpcisp.com>
Date: Mon, 03 Apr 2006 19:12:31 -0400
From: Jim Pingle <jim@...isp.com>
To: "Geo." <geoincidents@....net>
Cc: bugtraq@...urityfocus.com
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
Geo. wrote:
>> What is stopping you from running your own local DNS server?
>
> What is stopping you from running your own SMTP server? A port 25 block?
> Well if an ISP doesn't want to play whack-a-mole with unsecured dns servers
> popping up every day do you not think it likely that they will resort to the
> same techniques they used for smtp?
>
> Granted a port 53 inbound block would make more sense for the current
> example but just like bots started running their own SMTP engines I see the
> dns flood model changing to fit the new landscape.
We have done just this (block inbound udp/53) to certain subnets due to a
rash of CPEs that happily proxy DNS, including recursive queries, from their
WAN side. They DoS their own circuits more effectively than the intended DoS
targets.
Ingress/Egress filtering did not help because the traffic coming to the name
server was not spoofed to appear like it was coming from our network, it
really was. The attack reflected off of the routers and because they were
local to our name servers, they got replies to the recursive queries despite
our rejecting them from outside our network. And of course once it was
cached, it was open for public queries.
Broken/misconfigured/buggy routers appear to look just like open DNS
servers, and are likely to be much higher in numbers.
Jim
Powered by blists - more mailing lists