<<< Date Index >>>     <<< Thread Index >>>

Re: recursive DNS servers DDoS as a growing DDoS problem



On Sun, 26 Mar 2006, Geo. wrote:

Spoofing is indeed the attack vector and it can also be utilized for
NTP, ICMP, etc. It is to blame.

Still, DNS is what's being exploited and in my opinion a broken feature
being exploited needs fixing, or it will be exploited.

What feature of DNS is being exploited, UDP or the fact that there are a lot
of dns servers you can use?

If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
servers that it is allowed to use and these bots are on the local subnet (ie
BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours going to
solve anything?

Right now you don't need the 20,000 bot botnet. You can find plenty of recursive nameservers to send large responses to your victim. Even if we moved to a state where a 20,000 bot botnet could take you down, that's still better than anyone on a cable modem can take you down.

However, properly fixed the 20,000 bot botnet isn't able to perform this sort of attack unless all 20,000 bots are on your ISPs network.

Each bot has 2 nameservers. Properly configured, those nameservers should only send responses to the customers of the ISP in question (this would require dns server changes, not firewall rules blocking the requests).

If the victim of the attack is not on the list of allowed clients, then the bot would send the request to its own nameservers, and the nameservers would refuse to respond since the victim is not an allowed IP.

Greg