[dns-operations] Configurable TC=1?

Anand Buddhdev anandb at ripe.net
Mon Dec 21 14:25:27 UTC 2015


On 21/12/15 09:52, Roland Dobbins wrote:

Hi Roland,

> In other words, this DNS server was itself the victim of a naive DNS
> reflection/amplification attack.
> 
> Authoritative, or recursive (hopefully not both)?

Authoritative.

> The sad part is that naive attacks like this succeed all too often due
> to the unpreparedness of the defenders (see below).

There's only so much a defender can do. See below.

>> The attacker was just sending queries for a domain that none of these
>> servers were carrying (and some weren't even running a name server),
>> and so the victim address was flooded with one of the above.
> 
> FYI, this is not a typical DNS reflection/amplification attack
> methodology.  It is a very naive attack.
> 
> Note that if the targeted server was in fact an authoritative-only
> server, the deployment of situationally-appropriate network access
> policies in the form of ACLs on hardware-based routers and/or layer-3
> switches would probably suffice to keep the attack traffic from reaching
> the targeted server itself.

That's only true as long as the victim has sufficient inbound bandwidth.
Once the inbound bandwidth exceeds the router interface limits, ACLs
don't help. Genuine queries don't even make it to the server.

It might be a naive attack in your opinion, but it's still quite effective.

Regards,
Anand



More information about the dns-operations mailing list