DNS Amplification Attack and different results in bind 9.6/9.7

Euiho Kim leokim111 at gmail.com
Mon Nov 14 18:51:52 UTC 2011

Hi, I wrote email 1 days ago (subject name: DDoS attack and difference
actions in bind 9.6 / 9.7)

But I wonder mail could not approach to your mailbox, so I request support

First, Recently “isc.org ANY” DDoS Attack is frequently generated in our
DNS System (recursive Cache DNS)

Query type is “ANY” and I think it may be DNS Amplification Attack.

It is affecting all region in Korea, and query traffic (pps) sometimes
exceeds 160K.

Source IP’s are variable, Spoofed or infected clients.

Anyway, I have 3 questioned about this.

1.     If I solve this problem (burst isc.org “ANY” query – Amplication

Any better idea or case of blocking attack at other sites?

2.     Curiosly, I found 2 different query result of “isc.org ANY”

In bind-9.6 installed server, response query rcvd msg size is 600~700 byte,

But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It
includes lots of DNSSEC RRSet.

Why response msg sizes are different depending on systems?

3.     I monitored DNS traffic after attack disappeared.

It seems that Bind-9.6 servers replied all about “ISC ANY” query,

But Bind-9.7 servers almost ignored them.

I read new features of bind-9.7 doc and RELEASE-FILE.

But there were no reports preventing above attack (sort of generating large
response packet)

I have read once about preventing large RRSIG in negative query, but I
think it’s different situation compare of that.

If you know the features in bind-9.7 related to above (ignore reply),
please tell us.

Best regards,

Euiho Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111115/db36b651/attachment.html>

More information about the bind-users mailing list