[SOLVED] US-CERT Alert TA13-088A: DNS Amplification Attacks
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
US-CERT Alert TA13-088A: DNS Amplification Attacks
Quote:
National Cyber Awareness System
TA13-088A: DNS Amplification Attacks
Original release date: March 29, 2013
Systems Affected
* Domain Name System (DNS) servers
Overview
A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS) that relies on the use of
publically accessible open recursive DNS servers to overwhelm a victim
system with DNS response traffic.
The notice is an advisory explaining DDoS attacks and what you can do to detect and mitigate such. It's well worth your time to read through the notice and, maybe, apply a tweak or two to your DNS server configuration.
In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
FYI, these are listed as basic security options in the DNS-HOWTO (written in 2001).
I'm amazed that 25 millions of 27 millions dns servers tested are vulnerable to this kind of attack today.
BTW: The main source of the problem are mis-configured ISPs, which don't filter customer traffic originating from forged IP addresses.
Affected are not only DNS servers, but any public accessible protocol which uses UDP. If HTTP would use UDP instead of TCP, all Webservers of the world would be "vulnerable" to this and there would be nothing, that you can do about it (without locking legitimate visitors out from your website).
I'm quite confused right now. My DNS servers are running Bind 9.9.2 (latest Slackware package) and with or without these directives doesn't act as open resolvers. And at same time they recursively resolve for local network.
Quote:
In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
Are there some safe default settings in latest Bind releases or how is that possible?
Just an FYI, I updated the document recently to clarify some of the wording and included some additional mitigation techniques. Based on community feedback, it was a little vague on whether it applied only to recursive resolvers. I appreciate any feedback.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.