<<< Date Index >>>     <<< Thread Index >>>

RE: recursive DNS servers DDoS as a growing DDoS problem



> We have done just this (block inbound udp/53) to certain subnets due to a
> rash of CPEs that happily proxy DNS, including recursive queries,
> from their WAN side.

What devices? Is this a default or something customers are configuring?

> Ingress/Egress filtering did not help because the traffic coming
> to the name server was not spoofed to appear like it was coming from our
network, it
> really was.

Ingress/Egress filtering really needs to be addressed by router
manufacturers so it's a default when the router is configured. If every dsl
router did *gress filtering most of the spoofing issues would go away
overnight. It's the same sort of thing as Exchange finally installing with
relay disabled or the patch for smurf ping replies.

In the case where a router is located someplace that *gress filtering just
isn't a viable option the people configuring those routers should be smart
enough to be able to figure out how to disable it so enabled by default
really should not be a change that is an issue for router manufacturers.

Geo.