[dns-operations] Protecting against spoofing amplification attacks
Bruce Campbell
bc-dns at vicious.dropbear.id.au
Wed Mar 1 10:30:35 UTC 2006
On Tue, 28 Feb 2006, Geo. wrote:
> Ok, so you have a botnet. The machines in this botnet are behind a firewall
> and using irc to connect into your botnet, they use their local DNS servers
> so the spoofed queries are being sent to their local network behind their
> firewall.
>
> The firewall has to allow the recursive dns server to talk to the outside
> world so what is the firewall rule that is going to stop this attack from
> being possible?
You've set up a situation where the DNS server, being behind the same
firewall as nodes within a botnet, will believe that spoofed traffic
created by botnet nodes came through the firewall and is not actually
spoofed.
There are two defenses against this, one very basic, and one not so basic.
Firstly, configure your recursive DNS servers to not answer queries except
from 'your' network range, as mentioned several times in this thread.
Its not a firewall rule, but it is a very basic DNS server setup issue.
( Note that sending SRVFAILs will still cause your DNS server to DoS the
spoofed victims, but the traffic flow is much smaller than sending a
much larger answer, and doesn't require your DNS server to attempt to
retrieve the answer in the first place )
> I mean it seems the firewall that prevents spoofed recursion has to be
> between the recursive dns server and it's local clients. Who has a setup
> like that?
The second, not so basic defense is to ensure that your servers are not on
the same network segment as your more-likely-to-be-taken-over hosts (aka
your customers). With the appropriate anti-spoofing rules on the
customer's exit firewall, and your server's entry firewall, your servers
will never get spoofed queries from hosts under your control (assuming you
keep your servers up to date).
Most ISPs have a setup like this as part of their basic setup. Where they
fall down is in allowing the customer connection to send packets sourced
from anything IP address, not just the customer's assigned IP address(es).
--
Bruce Campbell
I hate writer's block.
More information about the dns-operations
mailing list