[dns-operations] DNS ANY record queries - Reflection Attacks

serhat aslan serhataslan22 at yahoo.com
Tue Sep 11 08:13:22 UTC 2012

My methodology is simple, analyze and ban :)

First Part
 + Baseline = Identifying the anomalies
     * Using latency monitor .
        -> smokeping, In-house scripts instead of dig I prefer using Net::DNS for the customizable outout, etc... .
     * Ratio of dns-query/dns-response (in/out  mbps) 
        -> roughly in/out traffic in my cases are 1/4
     * Ascii/RRD like graphs :), same as the above case, but just looking the behavior of the traffic picture.

 + Random auditing,  packet sampling in a limited time frame. It is best suited for if you have got a lot of dns-servers and want to identify if there is an amplification attack present or not. 
       -> tcpdump + grep/sed/awk + "wc -l" or dnstop :) ,etc.. 
Last Part
    +Banning traffic :   Signature of the packet (dns-type + dns query) then importing  them to  firewall

Serhat Aslan

 From: Robert Schwartz <smellyspice at gmail.com>
To: dns-operations at lists.dns-oarc.net 
Sent: Tuesday, September 11, 2012 6:52 AM
Subject: [dns-operations] DNS ANY record queries - Reflection Attacks

Hi All,

We run a bunch of authoritative servers and have recently observed activity best described in a post we found here: https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261

Using the iptables rules posted as a comment by Network Mouse (in the above post), we've been able to reduce the amount of junk being sent to the target host. Most of the target hosts seem to be in Asia, just like those mentioned in the Sans post. 

The question I have for you all is: Is this something affecting other operators? How have you been dealing with it? 

Thanks in advance for your feedback.


dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-jobs mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120911/0c5ef8c7/attachment.html>

More information about the dns-operations mailing list