[colug-432] DNS Amplification Attack
William Yang
wyang at gcfn.net
Wed Apr 3 17:10:19 EDT 2013
On 04/02/2013 01:38 AM, Travis Sidelinger wrote:
> Your DNS servers responds to UDP packets, which can be used by spoofing the
> source address of a UDP packet to attack another network. DNS is simply a
> popular UDP service. Thus, this is more of a firewall issue. Your
> firewall needs to ensure your UDP traffic is not being spoofed. Unless you
> are an ISP, there is not much you can do there. Rob's advice is good, but
> won't fundamentally fix this issue. Disabling UDP or enforcing DNS-SEC
> would resolve the issue, but may have challenges of their own. I'd
> recommend slaving your DNS to an ISP and let them deal with this.
I'm curious as to how DNSSEC would resolve the issue; the encryption
doesn't authenticate or authorize clients as I understand it: it only
authenticates server responses.
Limiting recursion is a Good Thing(tm) to do. Rate limiting responses is
another thing you could probably look at. It doesn't eliminate the
problem, but it sets reasonable limits on your additive role.
-Bill
--
William Yang
wyang at gcfn.net
More information about the colug-432
mailing list