LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   US-CERT Alert TA13-088A: DNS Amplification Attacks (http://www.linuxquestions.org/questions/slackware-14/us-cert-alert-ta13-088a-dns-amplification-attacks-4175456141/)

tronayne 03-30-2013 07:44 AM

US-CERT Alert TA13-088A: DNS Amplification Attacks
 
Quote:

National Cyber Awareness System
TA13-088A: DNS Amplification Attacks


Original release date: March 29, 2013

Systems Affected

* Domain Name System (DNS) servers

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS) that relies on the use of
publically accessible open recursive DNS servers to overwhelm a victim
system with DNS response traffic.
The notice is an advisory explaining DDoS attacks and what you can do to detect and mitigate such. It's well worth your time to read through the notice and, maybe, apply a tweak or two to your DNS server configuration.

The entire notice is available at http://www.us-cert.gov/ncas/alerts/TA13-088A.

Hope this helps some.

ponce 03-30-2013 08:05 AM

Quote:

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
FYI, these are listed as basic security options in the DNS-HOWTO (written in 2001). ;)

I'm amazed that 25 millions of 27 millions dns servers tested are vulnerable to this kind of attack today.

tronayne 03-30-2013 08:51 AM

Yup, never ceases to amaze me too -- particularly when it's me that didn't RTFM.

I suppose that reminders every of often are not a bad thing, eh?

ponce 03-30-2013 09:03 AM

eh, I personally think the percentage of vulnerable servers will drop of just 1% after this event (I'm an optimist).

jtsn 03-30-2013 09:29 AM

BTW: The main source of the problem are mis-configured ISPs, which don't filter customer traffic originating from forged IP addresses.

Affected are not only DNS servers, but any public accessible protocol which uses UDP. If HTTP would use UDP instead of TCP, all Webservers of the world would be "vulnerable" to this and there would be nothing, that you can do about it (without locking legitimate visitors out from your website).

tronayne 03-30-2013 09:48 AM

That's pretty much what the notice talks about (and how to fix it).

ponce 03-30-2013 11:46 AM

Interesting article on the matter

http://www.theregister.co.uk/2013/03..._the_internet/

yenn 03-30-2013 11:58 AM

I'm quite confused right now. My DNS servers are running Bind 9.9.2 (latest Slackware package) and with or without these directives doesn't act as open resolvers. And at same time they recursively resolve for local network.
Quote:

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
Are there some safe default settings in latest Bind releases or how is that possible?

ponce 03-30-2013 12:23 PM

it's explained in the article above: since bind-9.4.1-P1 recursion is disabled by default.

but there are many old dns servers out there, and people tend not to update them fearing to break things. ;)

yenn 04-01-2013 02:10 PM

Thanks for the link. Every time I visit LQ I learn something new :)

chrisretusn 04-02-2013 06:47 AM

Well of course I read the article, my DNS server is fine, because I :study: before setting it up. :)

meltonkt 08-16-2013 11:20 AM

Just an FYI, I updated the document recently to clarify some of the wording and included some additional mitigation techniques. Based on community feedback, it was a little vague on whether it applied only to recursive resolvers. I appreciate any feedback.


All times are GMT -5. The time now is 06:59 AM.