[dns-operations] DNS deluge for x.p.ctrc.cc

Ejay Hire ejay.hire at isdn.net
Wed Mar 1 16:59:18 UTC 2006


If the ISP fixes their DNS servers to restrict the Ips for
which they answer recursive queries, then those fixed DNS
servers will ignore the spoofed request because the spoofed
request appears to come from an IP that hey do not serve.

I.e.  To attack my router, joe sends this packet to a random
dns server

From: MY.IP.AD.DR To: DNS.SRVR query all x.p.ctrc.cc

The dns server looks up MY.IP.AD.DR in it's recursive permit
list, finds it isn't there and ignores the request.


> -----Original Message-----
> From: dns-operations-bounces at lists.oarci.net 
> [mailto:dns-operations-bounces at lists.oarci.net] On Behalf
Of Geo.
> Sent: Wednesday, March 01, 2006 10:55 AM
> To: dns-operations at mail.oarc.isc.org
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
> > all recursive servers should be configured to only
answer local
> > IP's, or their
> > firewalls should enforce this.  it's this openness, and
> the relative
> > locations of the bots vs. the recursive servers, that
i'm arguing
> > be fixed.
> We seem to not be communicating very well.
> Lets say this is instantly fixed tomorrow, presto all
> and corporations
> set their firewalls so that recursive DNS is only
available to local
> clients. Lets also assume that all ISP's have fixed it so 
> they are running
> ingress/egress filters at their backbone routers making
> local spoofing a
> thing of the past. Ok the world is wonderful right? Wrong!
> Now the bots will simply spoof on the inside ISP network
> use the local
> dns servers. The way to stop that is to run a firewall
between the dns
> servers and their local clients (something almost nobody
> going to do) or
> put *gress filters on every router (which isn't even
possible in some
> cases). And it's at this point everyone will realize this 
> isn't going to get
> fixed.
> So if forcing recursive DNS servers to only serve local 
> clients isn't going
> to fix this, they why should we give up such nice 
> functionality, a tool for
> troubleshooting, for what gain should we dispose of this
> We need a better solution, dns rate limiting (like the
> flood solution)
> perhaps?
> Geo.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list