[dns-operations] First experiments with DNS dampening to fight amplification attacks

Klaus Darilion klaus.mailinglists at pernau.at
Mon Oct 29 09:28:56 UTC 2012

On 25.10.2012 22:16, David Miller wrote:
> On 10/25/2012 1:48 PM, paul vixie wrote:
>> On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
>>> ...
>>> Seems to show clever hacks can be useful (looks good for roots), but don't
>>> generally work against real hackers who typically read lists (and source
>>> code).  :-)
>> until cisco makes source address validation the default, we have no
>> tools available to thwart ddos, other than clever hacks. all of which
>> will have serious limitations in the face of a determined attacker.
>> however, there are not very many determined attackers.
>> michael, please send diffs to
>> <http://ss.vix.com/~vixie/isc-tn-2012-1.txt> section 5, which currently
>> reads:
>>     5 - Attacker Behaviour
>>     5.1. A forged-source reflective amplifying attacker who wants to be
>>     successful will either have to select authority servers who do not
>>     practice rate limiting yet, or will have to select a large number of
>>     authority servers and use round robin to distribute the attack flows.
>>     Each authority server will have to be asked a question within one of
>>     that server's zones chosen at random in order to get an amplification
>>     effect. An attacker would do well to select DNSSEC-signed zones and to
>>     use DNSSEC signalling in their forged queries to maximize response size.
>>     This will be more effective than QTYPE ANY queries which are often
>>     blocked altogether due to their diagnostic rather than operational
>>     purpose.
> Is it actually the case that QTYPE ANY queries are often blocked altogether?

We apply iptables based rate-limiting on ANY queries with RD bit set. 
This of course is no general cure against amplification attacks, but 
works great against the currently happening ANY attacks.


More information about the dns-operations mailing list