[dns-operations] DNS ANY requests from Amazon?

[Patrick, Robert (CONTR)]

Chris,

Yes, many sites are seeing increasing "background noise" from Internet hosts repetitively submitting DNS queries, especially for ANY.  Amplification attacks, or simply burning CPU cycles.

It's starting to look like per-client-IP rate-limiting features are necessary, with intelligent defaults, to ensure applications facing the Internet are protected out-of-the-box, while service providers and others with IT staff can adjust the settings where necessary.  The current default settings for most applications to provide unlimited response to any IP address, especially for non-stateful protocols (e.g. UDP), is proving to be noisy.

Where some customers haven't implemented rate-limiting within BIND, mitigation is available at the O/S and network layer.  As an example, there are connection limits that can be enforced with iptables on Linux.  Per-source-IP connection limits can also be restricted on Cisco ASA firewalls (and likely other vendor products).

There is a patch available for rate-limiting inside BIND.

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of sthaug at nethelp.no
Sent: Monday, December 17, 2012 2:27 PM
To: cmadams at hiwaay.net
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] DNS ANY requests from Amazon?

> I'm seeing a bunch of DNS ANY requests to my authoritative servers 
> with Amazon EC2 source IPs.  I guess somebody is now trying to run an 
> amplification attack against Amazon?

Highly likely.

> This is the first time I've seen Amazon targeted this way; are others 
> seeing this (am I just late to the party)?

You're just late to the party. This has been going on for months.

Steinar Haug, AS 2116