[dns-operations] DNS deluge for x.p.ctrc.cc

[Ejay Hire]

Ok.  Got it.  An attacker can use botnet members that are
customers of ISPA to attack ISPA's other customers.  Yes.
That is possible.

I'm comfortable with this level of exposure (1,2,10 servers)
versus the thousands of servers that were bombarding us
during the most recent attack.

Can an attacker use the botnet on ISPA's network to attack
ISPB's customers with recursive lookups?
No.  Because when they spoof ISPBcustomer's source address,
it will be rejected by ISPA's dns servers based on the
source address.

Can an attacker use the botnet on ISPA's network to attack
ISPB's customers with a non-recursive (authoritative)
lookup?
No.  Because when they spoof ISPBcustomer's source address,
and the dns server sends the reply to ISPBcustomers address,
it will be rejected by ISPA's outbound BCP38 filtering.

For this problem, BCP38 and limited recursion really are the
fix.

-ejay


 

> -----Original Message-----
> From: Gadi Evron [mailto:ge at linuxbox.org] 
> Sent: Wednesday, March 01, 2006 1:01 PM
> To: Ejay Hire
> Cc: 'Geo.'; dns-operations at mail.oarc.isc.org
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
> 
> Ejay Hire wrote:
> > If the ISP fixes their DNS servers to restrict the Ips
for
> > which they answer recursive queries, then those fixed
DNS
> > servers will ignore the spoofed request because the
spoofed
> > request appears to come from an IP that hey do not
serve.
> 
> I believe Geo actually meant something different. I also
did not 
> understand his meaning at all at first... then he further
explained.
> 
> As the bots are in the ISP's allowed space, the ISP's DNS
server will 
> allow recursion to these bots.
>