[dns-operations] "NS .", the attack of the month?

Skywing Skywing at valhallalegends.com
Sat Jan 24 23:25:25 UTC 2009

It is better than the often default configuration alternative in terms of the amount of traffic that is generated.  At the least, if everyone did this, the amplification component of this attack would seem to be greatly reduced and it would become roughly as attractive to just spoof traffic straight to the target.

A better question is whether there's any way to make BIND or <other nameserver software of choice> just drop a query instead of refusing it.  iptables/firewall hacks like proposed earlier seem just like that to me - a hack, and one that seems to me might be easily evadable by doing things like including multiple questions or the like.  That's not to say that they might not effectively mitigation this iteration of this attack, but rather that it's not an arms race sort of scenario that we really want to run into with the "bad guys" when we're dealing with just static pattern matching packet filters.

Obviously, in normal circumstances, it's cheaper to send a failure response back, as that would get an ostensibly legitimate client to skip trying to resend requests until it gives up.  However, this isn't the universal advantage that it used to be in today's DoS-ridden internet.

- S

From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Noel Butler
Sent: Saturday, January 24, 2009 6:12 PM
To: Stephane Bortzmeyer
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] "NS .", the attack of the month?

On Sun, 2009-01-25 at 08:45, Stephane Bortzmeyer wrote: 
On Sun, Jan 25, 2009 at 08:39:27AM +1000,
 Noel Butler <noel.butler at ausics.net> wrote 
 a message of 65 lines which said:

> iptables -A INPUT -p udp --dport 53 -m u32 --u32
> "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001" -j 

Cute :-) I hesitate to deploy a trick that I have trouble to
verify. Isn't it better to just follow the recommendations in

No, that advice is outright wrong! Contributing to the DDoS, (although we should have all be doing it anyway in general) because you are sending the REFUSED pkt back to the victim, so they are essentially telling you how to participate in the DDoS.

extract " Then, a query such as ". IN NS" should result in a REFUSED response."

It's also no longer just ISPrime thats the victim, I am seeing other targets for past 24 hours.

More information about the dns-operations mailing list