Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Yeah we've run into dns amplification attacks in the past, and we're all 
aware that the IP's are spoofed.  I run shorewall here, and have 
verified that I have enabled anti-spoofing in iptables, yet somehow 
these packets are still getting through.  Maybe iptables is forwarding 
the packets to the DNS server before the anti-spoofing measures are 
checked?  I don't know, but it's annoying...

Of course most of the websites I read on dealing with dns attacks were 
quick to say over and over that nobody should be running a recursive DNS 
server except for ISP's... well goody for them.  We have a legitimate 
reason for running recursive servers, and simply turning off recursive 
lookups is not currently an option.  Yeah these attacks suck, but surely 
there must be a way to block the attacks without completely destroying 
the functionality of opennic?


On 12/28/2010 09:02 PM, Larry Brower wrote:
> This sounds like a DNS Amplification attack which has been going on for
> years. The IP you are seeing is most likely spoofed because the attacker
> sends a small query to you as a recursive server and you send back the
> entire RR set for ISC.org. This is part of the reason the ICANN root
> servers do not do recursive DNS and authoritative servers are not
> supposed to do recursive dns.
>
> You may want to view the NANOG presentations on the subject at
> http://nanog.org/presentations/archive/index.php
>
> Just search for dns amplification
>
>