[dns-operations] Protecting against spoofing amplification attacks

Bruce Campbell bc-dns at vicious.dropbear.id.au
Wed Mar 1 10:30:35 UTC 2006

On Tue, 28 Feb 2006, Geo. wrote:

> Ok, so you have a botnet. The machines in this botnet are behind a firewall
> and using irc to connect into your botnet, they use their local DNS servers
> so the spoofed queries are being sent to their local network behind their
> firewall.
> The firewall has to allow the recursive dns server to talk to the outside
> world so what is the firewall rule that is going to stop this attack from
> being possible?

You've set up a situation where the DNS server, being behind the same 
firewall as nodes within a botnet, will believe that spoofed traffic 
created by botnet nodes came through the firewall and is not actually 

There are two defenses against this, one very basic, and one not so basic.

Firstly, configure your recursive DNS servers to not answer queries except 
from 'your' network range, as mentioned several times in this thread.
Its not a firewall rule, but it is a very basic DNS server setup issue.

( Note that sending SRVFAILs will still cause your DNS server to DoS the
   spoofed victims, but the traffic flow is much smaller than sending a
   much larger answer, and doesn't require your DNS server to attempt to
   retrieve the answer in the first place )

> I mean it seems the firewall that prevents spoofed recursion has to be
> between the recursive dns server and it's local clients. Who has a setup
> like that?

The second, not so basic defense is to ensure that your servers are not on 
the same network segment as your more-likely-to-be-taken-over hosts (aka 
your customers).  With the appropriate anti-spoofing rules on the 
customer's exit firewall, and your server's entry firewall, your servers 
will never get spoofed queries from hosts under your control (assuming you 
keep your servers up to date).

Most ISPs have a setup like this as part of their basic setup.  Where they 
fall down is in allowing the customer connection to send packets sourced 
from anything IP address, not just the customer's assigned IP address(es).

   Bruce Campbell

   I hate writer's block.

More information about the dns-operations mailing list