DNS Amplification Attack and different results in bind 9.6/9.7
leokim111 at gmail.com
Mon Nov 14 18:51:52 UTC 2011
Hi, I wrote email 1 days ago (subject name: DDoS attack and difference
actions in bind 9.6 / 9.7)
But I wonder mail could not approach to your mailbox, so I request support
First, Recently “isc.org ANY” DDoS Attack is frequently generated in our
DNS System (recursive Cache DNS)
Query type is “ANY” and I think it may be DNS Amplification Attack.
It is affecting all region in Korea, and query traffic (pps) sometimes
Source IP’s are variable, Spoofed or infected clients.
Anyway, I have 3 questioned about this.
1. If I solve this problem (burst isc.org “ANY” query – Amplication
Any better idea or case of blocking attack at other sites?
2. Curiosly, I found 2 different query result of “isc.org ANY”
In bind-9.6 installed server, response query rcvd msg size is 600~700 byte,
But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It
includes lots of DNSSEC RRSet.
Why response msg sizes are different depending on systems?
3. I monitored DNS traffic after attack disappeared.
It seems that Bind-9.6 servers replied all about “ISC ANY” query,
But Bind-9.7 servers almost ignored them.
I read new features of bind-9.7 doc and RELEASE-FILE.
But there were no reports preventing above attack (sort of generating large
I have read once about preventing large RRSIG in negative query, but I
think it’s different situation compare of that.
If you know the features in bind-9.7 related to above (ignore reply),
please tell us.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users