[dns-operations] question for DNS being attacked

[Paul Vixie]

On 2012-06-28 1:41 AM, pangj wrote:
> Hello,
>
> My named service got 1GB or more incoming traffic of attack recently.
> The remote source IPs are fake IMO, and the records they query for are
> random.
> This make my named can't work normally.
> How can we take some steps to prevent them?

since there's no way to drop remotely-spoofed traffic at its entry into
your network, and no way to require every remote network to drop spoofed
traffic inside their network (where it is at least technically possible
to differentiate this traffic), all you can do is try to guess what
queries are fake or otherwise nonproductive, and avoid responding to these.

at <http://www.redbarn.org/dns/ratelimits> you will find one
experimental approach to doing this, if your name server is BIND9. note
that this feature is not supported by ISC at this time, but that the
authors of the experimental technology would welcome any comments, bug
reports, questions, or feedback on the topic.

this experimental technology is called DNS RRL, for DNS Response Rate
Limiting. operators of several large name servers have reported good
success with DNS RRL.

good luck with your defense. this kind of attack has become extremely
common during 2012.

paul