Hi, I wrote email 1 days ago (subject name: DDoS attack and difference actions in bind 9.6 / 9.7)
But I wonder mail could not approach to your mailbox, so I request support again. First, Recently “isc.org ANY” DDoS Attack is frequently generated in our DNS System (recursive Cache DNS) Query type is “ANY” and I think it may be DNS Amplification Attack. It is affecting all region in Korea, and query traffic (pps) sometimes exceeds 160K. Source IP’s are variable, Spoofed or infected clients. Anyway, I have 3 questioned about this. 1. If I solve this problem (burst isc.org “ANY” query – Amplication Attack), Any better idea or case of blocking attack at other sites? 2. Curiosly, I found 2 different query result of “isc.org ANY” In bind-9.6 installed server, response query rcvd msg size is 600~700 byte, But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It includes lots of DNSSEC RRSet. Why response msg sizes are different depending on systems? 3. I monitored DNS traffic after attack disappeared. It seems that Bind-9.6 servers replied all about “ISC ANY” query, But Bind-9.7 servers almost ignored them. I read new features of bind-9.7 doc and RELEASE-FILE. But there were no reports preventing above attack (sort of generating large response packet) I have read once about preventing large RRSIG in negative query, but I think it’s different situation compare of that. If you know the features in bind-9.7 related to above (ignore reply), please tell us. Best regards, Euiho Kim
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users