DNS Flood -- Help!

[Simon Waters]

Kevin Darcy wrote:
> 
> None of those stop named from _responding_ to the queries.

If they are genuinely victims of the attack described it isn't
really a DNS issue but a DDoS issue.

The attack described results in "answers" hitting the target
machine, not "queries" !

More likely the server is being used to join in such as attack
against someone else. In which case the answers given so far are
correct.

If you are the genuine victim of the attack you may be able to
mitigate the attack by only allowing only traffic to port 53 of
the authoritive name servers at the edges of your network (most
routers will do this). As the scripts say a variety of source
ports will be used, but nameservers only need to have 53 open,
obviously if the attacker spots this he can modify the code, but
he has limited ability to spot this, and the solution doesn't
scale (Hence mitigate not solve).

Some packet inspection technology can distinguish queries and
answers (One even checks that answers belong to genuine queries)
- but that is likely only to move the problem back to the
firewalls (If any). You could list the servers being used in the
attack - but asking these admins for help might be a never
ending tasks.

If you are being used as an amplifier - please do let the real
victims know you fixed your DNS - they probably need some good
news right now!