So, now for something completely different...

One of the main duties I carry out at my place of employment is being the "DNS guy".  So that said, I had to relay the information I located about "DNS Amplification Attacks" I found this week.

This attack relies on the use of public recursive DNS servers.  These are servers that anyone may point to in order to perform recursive DNS lookups.  Many ISPs maintain these open type of servers.

This attack results in a distributed denial of service (DDOS) attack against a target system.  The attacker sends DNS requests to the DNS server with the forged IP address of the target system.  The target is then buried by a flood of DNS replies from the DNS server used as the attack vector. DNS replies are usually larger than the requests, so the target is indeed buried in traffic.  DNS traffic is almost always permitted, so this type of attack is hard to detect.

There is little the target can do to defend itself unfortunately.  There are however a few things DNS administrators can do to prevent their servers becoming attack vectors:

1.  Limit recursive queries to those systems the server should handle lookups for.  So, if you are using Cox Communications, they should limit queries to Cox Communications IP addresses.

2.  Disable recursion on authoritative DNS servers.  Authoritative servers should only answer queries, not make them.

3.  This was news to me, but apparently there is an experimental response rate-limiting capability in BIND 9.  It was created to lessen the possibility of these attacks.  Unfortunately, Windows DNS does not have this feature.  (I wonder how many Windows DNS servers are public servers???  I wouldn't do it.)

Here is a link to the US-CERT alert:

http://www.us-cert.gov/ncas/alerts/TA13-088A

That's it for this week--cheers!