[c-nsp] DNS amplification

Steven Fischer sfischer1967 at gmail.com
Sat Mar 16 19:40:16 EDT 2013


yes - and it presumes your DNS servers are based on Linux and use IPTables.

http://www.cryptonizer.com/dnsamp.html

http://serverfault.com/questions/418810/public-facing-recursive-dns-servers-iptables-rules

http://sf-alpha.bjgang.org/wordpress/2013/01/iptables-for-common-dns-amplification-attack-on-recursive-dns-inside-your-network/

these should give you a good idea of how to get started...


On Sat, Mar 16, 2013 at 6:24 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Sat, 16 Mar 2013, Robert Joosten wrote:
>
>  Hi,
>>
>>  Can anyone provide insight into how to defeat DNS amplification attacks?
>>>>
>>> Restrict resolvers to your customer networks.
>>>
>>
>> And deploy RPF
>>
>
> uRPF / BCP38 is really the only solution.  Even if we did close all the
> open recursion DNS servers (which is a good idea), the attackers would just
> shift to another protocol/service that provides amplification of traffic
> and can be aimed via spoofed source address packets.  Going after DNS is
> playing whack-a-mole.  DNS is the hip one right now.  It's not the only one
> available.
>
> Many networks will say "but our gear doesn't do uRPF, and maintaining an
> ACL on every customer port is too hard / doesn't scale."
>
> Consider an alternative solution.  On a typical small ISP / small service
> provider network, if you were to ACL every customer (because your gear
> won't do uRPF), you might need hundreds or even thousands of ACLs. However,
> if you were to put output filters on your transit connections, allowing
> traffic sourced from all IP networks "valid" inside your network, you might
> find that all you need is a single ACL of a handful to several dozen
> entries.  Having one ACL to maintain that only needs changing if you get a
> new IP allocation or add/remove a customer who has their own IPs really
> isn't all that difficult.  As far at the rest of the internet is concerned,
> this solves the issue of spoofed IP packets leaving your network.
>
> ------------------------------**------------------------------**----------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP public key_________
>
>


-- 
To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy


More information about the cisco-nsp mailing list