[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Wed Mar 1 15:08:51 UTC 2006

# What I'm saying is that with a botnet dns attack, each bot is going to use
# it's local dns servers ...

I don't think that's true.  The malware analysis I've seen indicates that the
bots doing this attack are each given a list of remotely exploitable recursive
DNS servers to fire their spoofed query-stream at.  If they were using their
configured local server, then the spoofed traffic would be trivially detectable
using on-net strict RPF.  That is, the IGP routing equipment is in an excellent
position to know that a query claiming to come from outside the local net did
not in fact come from outside the local net.  Last but not least, those bots
who might be using local configured recursive DNS as amplifiers today, can be
made to use a list of remotely exploitable servers starting tomorrow, so any
optimization we thought we could do against local server use would've been

# You would likely have to run a software firewall on the dns server itself to
# prevent this sort of attack. Either that or the dns server software has to
# have functionality that allows you to tell it to respond only to local IP's.

all recursive servers should be configured to only answer local IP's, or their
firewalls should enforce this.  it's this openness, and not the relative
locations of the bots vs. the recursive servers, that i'm arguing be fixed.

More information about the dns-operations mailing list