On 01/17/2014 11:26 PM, Levi Pearson wrote: > On Fri, Jan 17, 2014 at 10:13 PM, Andy Bradford <[email protected]> > wrote: >> Thus said Daniel Fussell on Fri, 17 Jan 2014 10:17:35 -0700: >> >>> Recently someone started using my DNS server for a DNS amplification >>> attack, forcing me to disable recursion for queries coming from >>> outside my network. It works well enough, but I'm now sending a denied >>> packet to the victim instead of a 4 kbyte TXT record, where I'd like >>> to send nothing at all. >> Why should it send anything in response to a request for recursion if >> you don't even have recursion enabled? Either the DNS server software is >> still misconfigured, or it's broken. > I don't follow. It seems pretty normal for an authoritative server to > reply to a request with the recursion bit set with the 'recursion not > available' code in the response. DNS is a UDP-based protocol (at > least for normal requests), and simply not answering is asking for a > retry. I don't know if you can even configure most DNS servers to > just fail to respond at all to a request with the recursion bit set. That's the way I feel about it. It's much easier to work with a system that kindly reminds you your configuration won't support some operation, but there's no reason to think anything is down. But there are some caveats with that gentlemanly practice... > > I suspect that anyone who's trying to use a system for DNS > amplification attacks will eventually notice that it no longer does > recursive responses and stop sending spoofed requests. They're no > longer getting any amplification from your server, so their request > bandwidth is "better" spent on another recursive-allowing server. > > So far, they either don't care about the bandwidth, or they haven't cared to do anything but seek and exploit. I'm constantly under a barrage of these attack attempts, and it's been a little concerning just how fast the logs were filling with query denied messages. It made me start to wonder if I was an unwitting participant, or the target. I wonder if they have figured out a way to overwhelm a server long enough to affect a cache poisoning, buffer overflow, tcp connection exhaustion, or some other attack; maybe collecting a vast amount of query-responses looking for a flaw in my random number generator. Or maybe just some vigilante trying to improve the world and increase awareness of DNS amp attacks by creating one and filling pipes till someone notices and does something about it. Who knows.
The one thing I know is, I'm being continually scanned by what appears to be bots, on both tcp and udp, despite my refusal to do the recursion, perhaps under the assumption I might screw up and start recursing again. Moving to the assumption that I may be the intended target, my response would be to cut off their communication with my server before the server ever sees the packet; the sooner the drop, the better. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
