[RndTbl] DNS Amplification DoS
Paul Sierks
psierks at sierkstech.net
Mon Sep 17 14:16:36 CDT 2012
Hey Everybody,
I recently saw iftop showing a couple "connections" of ~200Kbps
persistently on a box and because this wasn't the usual, I looked into
it. Turns out it was caused by DNS lookups of type ANY ripe.net
repeatedly. I can only assume this is an amplification attack. This box
uses BIND 9.9.1-P3 is public facing and does recursive lookups (also
authoritative). Now that that's out of the way, I'm looking/thinking of
ways the prevent this obviously. This isn't causing a problem on a 100Mb
link now but could get there quickly. As far as I know I don't have a
lot of options, maybe iptables with some sort of limiting. ACLs would
normally help, and would be perfect if I could get it to use a SQL
database as the backend, and use that as a whitelist to at least
mitigate the issue. If anyone has experience on the subject or an idea,
it is much appreciated.
Regards,
Paul
More information about the Roundtable
mailing list