• My Tweats

  • Flickr Photos

DNS-based Distributed Denial of Service attacks

CNET has a post on recent DNS-based DDOS Attacks:

"In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.

Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target."

The internet community can mitigate these types of attacks three ways:

  • DNS Servers accessible by the internet as a whole, should be configured for non-recursive lookups. In plain speak, the DNS server hosting domain example.com only answers requests about example.com from the internet at large and nothing else. For reference, see this best practice DNS/Bind template that allows recursive lookups for local sources while being non-recursive for the internet at large. Enterprises should also consider hosting their DNS domains at a DNS service provider like UltraDNS and have local DNS servers only for their own internal use.
  • At the perimeter of ISP and enterprise networks, egress filters should only allow outbound traffic that has valid source IP information from said Enterprise or ISP. For reference, see this best practice Cisco Router template.
  • Companies that are victims of DNS-based DDOS, should pursue tort action (in a class with other victims) against those Enterprises/ISP that were not properly configured thus allowing the attack. When InfoSec Lawfare (reduction of InfoSec based economic externalities) begins in earnst, organizations and individuals will have the proper economic incentives for information security.

Update: A brief example note of an ongoing DNS DDOS Attack via the ISC Incident Handler.

Update 26 March 2006: I commented on a like article is being discussed on Digg

Update 27 March 2006: More Examples: Via SlashDot, Slashdot again, and Netcraft.

One Response

  1. DNS DDOS Mitigation Update

    I posted on the DNS DDOS attacks here and here.
    I realize I left out one of the prudent steps all organizations should enforce as part of their Network Security Policy:

    Only allow your internal clients to talk to your own DNS servers. This negates the…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: