[colug-432] DNS Amplification Attack

William Yang wyang at gcfn.net
Wed Apr 3 17:10:19 EDT 2013


On 04/02/2013 01:38 AM, Travis Sidelinger wrote:
> Your DNS servers responds to UDP packets, which can be used by spoofing the
> source address of a UDP packet to attack another network.  DNS is simply a
> popular UDP service.  Thus, this is more of a firewall issue.  Your
> firewall needs to ensure your UDP traffic is not being spoofed.  Unless you
> are an ISP, there is not much you can do there.  Rob's advice is good, but
> won't fundamentally fix this issue.  Disabling UDP or enforcing DNS-SEC
> would resolve the issue, but may have challenges of their own.  I'd
> recommend slaving your DNS to an ISP and let them deal with this.

I'm curious as to how DNSSEC would resolve the issue; the encryption
doesn't authenticate or authorize clients as I understand it: it only
authenticates server responses.

Limiting recursion is a Good Thing(tm) to do.  Rate limiting responses is
another thing you could probably look at.  It doesn't eliminate the
problem, but it sets reasonable limits on your additive role.

	-Bill

-- 
William Yang
wyang at gcfn.net


More information about the colug-432 mailing list