[dns-operations] DNS ANY record queries - Reflection Attacks

Chip Marshall chip at 2bithacker.net
Tue Sep 11 17:12:05 UTC 2012


On 10-Sep-2012, Robert Schwartz <smellyspice at gmail.com> sent:
> We run a bunch of authoritative servers and have recently observed activity
> best described in a post we found here:
> https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261
> 
> Using the iptables rules posted as a comment by Network Mouse (in the above
> post), we've been able to reduce the amount of junk being sent to the
> target host. Most of the target hosts seem to be in Asia, just like those
> mentioned in the Sans post.
> 
> The question I have for you all is: Is this something affecting other
> operators? How have you been dealing with it?

My employer has been seeing it for a while now:
http://dyn.com/active-incident-notification-recent-chinanetany-query-floods/

It appears to always be ANY queries with recursion desired set,
which well behaved recursors shouldn't be sending to
authoritatives in the first place. We've used that to identify
and block apparently source IPs.

-- 
Chip Marshall <chip at 2bithacker.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120911/865786c5/attachment.sig>


More information about the dns-operations mailing list