how to defense against ddos attack to dns?
chulmin2 at hotmail.com
Fri Nov 20 22:14:59 UTC 2009
I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/)
this program generates
(1) lots of queries (2) queried domains are randomly (3) source ip can be spoofed to the destination.
below is an example(192.168.198.17 is victim)
07:09:11.658811 IP 188.8.131.52.4500> 192.168.198.17.domain: 2+ A? www.aocddv.biz. (32)07:09:11.775809 IP 184.108.40.206.1233> 192.168.198.17.domain: 2+ A? www.bvthus.org. (32)07:09:11.891780 IP 220.127.116.11.3454> 192.168.198.17.domain: 2+ A? www.oftinx.net. (32)07:09:12.008021 IP 18.104.22.168.56566> 192.168.198.17.domain: 2+ A? www.nnqsts.net. (32)07:09:12.123998 IP 22.214.171.124.1320> 192.168.198.17.domain: 2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 126.96.36.199.22211> 192.168.198.17.domain: 2+ A? www.ahnxuj.biz. (32)07:09:12.357514 IP 188.8.131.52.435435> 192.168.198.17.domain: 2+ A? www.sdhvmu.org. (32)07:09:12.472896 IP 184.108.40.206.5464> 192.168.198.17.domain: 2+ A? www.juewou.com. (32)07:09:12.705161 IP 220.127.116.11.1223> 192.168.198.17.domain: 2+ A? www.vgxaex.org. (32)
My question is
if so lots of queries are like above, how can I defense the attack?I think that just denying the recursion is not sufficient.
Please share your experiences and opinions.
> To: chulmin2 at hotmail.com
> CC: bind-users at isc.org
> From: marka at isc.org
> Subject: Re: how to defense against ddos attack to dns?
> Date: Tue, 17 Nov 2009 12:19:53 +1100
> In message <BLU149-W13EF74E1E2EBA2FE9DD3F385A40 at phx.gbl>, MontyRee writes:
>> Hello, all.
>> I have operated some dns servers and I'm curious what should I do if
>> ddos attck to my dns servers.
>> So do you know how to defense against dns dddos attack like root server?
>> Surely, various ddos attack may be occurred.
>> My idea is..
>> -. filtering 53/udp traffic that the byte is over 512 byte
>> -. rate-limit against 53/udp queries
>> (but useless if the attack spoof the source ip)
>> -. deny recursion
>> -. anycast?
>> Is ther any comments or proposal?
> How you defend against a DoS attack depends on the actual attack
> and what services you are attempting to provide and to whom. You
> want to minimise collateral damage and some of the methods above
> are likely to introduce collateral damage.
>> Thanks in advance.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기.
More information about the bind-users