[dns-operations] Amplification attack today ?

Douglas Otis dotis at mail-abuse.org
Thu Mar 1 00:07:08 UTC 2007 

On Feb 28, 2007, at 3:24 PM, Mark Andrews wrote:

>
>> On Mittwoch, 28. Februar 2007 16:23 Rob Thomas wrote:
>>> There is an =A0
>>> on-going 1.4Gbps DNS amplification attack using 175K open  
>>> recursive =A0
>>> name servers, but it is hitting approximately three targets in the
>>> US.
>>
>> Maybe someone should establish an RBL for bad DNS servers, and all  
>> root=20
>> servers should block DNS queries from them? By this, you will for  
>> sure=20
>> get the attraction of that servers admin, and they must fix their=20
>> servers. It's a bit like RBLs for e-mails servers today, admins  
>> get to=20
>> fix it quite quickly these days.
>
> 	Maybe someone should realise that the DNS servers are not
> 	the problem.  The problem is people allowing spoofed traffic
> 	to leave their networks.
>
> 		spoofed traffic -> DNS server -> target
>
> 	This attack can use both authoritative and recursive servers.
> 	Do you really want to stop *all* DNS traffic?  That is the
> 	logical progression of blaming the DNS server operators.
>
> 	Yes, cutting the number of reflectors will help marginally.
> 	There are however millions of authoritative servers that can
> 	also be used as amplifiers and they can't be disabled.

Even when everyone implements BCP38, DNS amplifications can still be  
created by SPF scripts, and this attack expends virtually none of the  
attacker's resources.  The attacker can just alter the local-part of  
the From or MailFrom email address.  The same cached SPF script then  
generates a flurry of different DNS queries.  This script can target  
random nonexistent A records, or perhaps large wildcard TXT or MX  
records.  When an attack occurs as a result of spam (that would have  
been sent anyway), it is hard to place a figure on the amplification  
achieved.   This attack is free, unlike recursive attacks that  
consume at least some of the attacker's resources.

With open recursive attacks, large RRs and DNS servers causing a  
problem can be determined.  The operator of the DNS server and the  
related network can asked to adjust their egress rules and ACLs.   
Little can be done to prevent an SPF script related exploit.  Malware  
filters on DNS answers?

-Doug

More information about the dns-operations mailing list