[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mitigating DNS amplification attacks



On 04/30/2013 05:28 PM, Thomas St-Pierre wrote:
> The large majority of the servers being used in the attacks are not
> open resolvers. Just DNS servers that are authoritative for a few
> domains, and the default config of the dns application does referrals
> to root for anything else.

It sounds like you're already aware that this is the default behavior 
for an authoritative-only server, and while the referral to the roots is 
a largeish response and has been used for amplification attacks, it's 
also rather difficult to mitigate against.

A BIND server can be configured to not do that, but contacting each of 
your customers about it might not have a good ROI. See 
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful 
for more information.

Meanwhile, thank you very much for being proactive in this regard. Would 
that more SPs were as net.responsible as you. :)

Doug