Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to defense against ddos attack to dns?

15 views
Skip to first unread message

MontyRee

unread,
Nov 16, 2009, 7:55:19 PM11/16/09
to bind-...@isc.org

Hello, all.


I have operated some dns servers and I'm curious what should I do if
ddos attck to my dns servers.

So do you know how to defense against dns dddos attack like root server?

Surely, various ddos attack may be occurred.

My idea is..


-. filtering 53/udp traffic that the byte is over 512 byte
-. rate-limit against 53/udp queries
(but useless if the attack spoof the source ip)
-. deny recursion
-. anycast?


Is ther any comments or proposal?


Thanks in advance.




_________________________________________________________________
占쏙옙占싸울옙 Windows 7: 占싹삼옙 占쌜억옙占쏙옙 占쌤쇽옙화占싹쇽옙占쏙옙. 占쏙옙占쏙옙占싻울옙占쏙옙 占승댐옙 占쌍삼옙占쏙옙 PC占쏙옙 찾占쏙옙占쏙옙占쏙옙.
http://windows.microsoft.com/shop

Mark Andrews

unread,
Nov 16, 2009, 8:19:53 PM11/16/09
to MontyRee, bind-...@isc.org

In message <BLU149-W13EF74E1E...@phx.gbl>, MontyRee writes:
>
> Hello, all.
>
> I have operated some dns servers and I'm curious what should I do if
> ddos attck to my dns servers.
>
> So do you know how to defense against dns dddos attack like root server?
>
> Surely, various ddos attack may be occurred.
>
> My idea is..
>
> -. filtering 53/udp traffic that the byte is over 512 byte
> -. rate-limit against 53/udp queries
> (but useless if the attack spoof the source ip)
> -. deny recursion
> -. anycast?
>
> Is ther any comments or proposal?

How you defend against a DoS attack depends on the actual attack
and what services you are attempting to provide and to whom. You
want to minimise collateral damage and some of the methods above
are likely to introduce collateral damage.

> Thanks in advance.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

MontyRee

unread,
Nov 20, 2009, 5:14:59 PM11/20/09
to ma...@isc.org, bind-...@isc.org



Hello, 
I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/)
this program generates 
(1) lots of queries (2) queried domains are randomly (3) source ip can be spoofed to the destination.
below is an example(192.168.198.17 is victim) 
07:09:11.658811 IP 167.187.119.211.4500> 192.168.198.17.domain:  2+ A? www.aocddv.biz. (32)07:09:11.775809 IP 206.140.182.86.1233> 192.168.198.17.domain:  2+ A? www.bvthus.org. (32)07:09:11.891780 IP 157.160.17.164.3454> 192.168.198.17.domain:  2+ A? www.oftinx.net. (32)07:09:12.008021 IP 27.71.230.67.56566> 192.168.198.17.domain:  2+ A? www.nnqsts.net. (32)07:09:12.123998 IP 202.193.203.54.1320> 192.168.198.17.domain:  2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 217.53.229.167.22211> 192.168.198.17.domain:  2+ A? www.ahnxuj.biz. (32)07:09:12.357514 IP 208.133.39.51.435435> 192.168.198.17.domain:  2+ A? www.sdhvmu.org. (32)07:09:12.472896 IP 80.168.228.221.5464> 192.168.198.17.domain:  2+ A? www.juewou.com. (32)07:09:12.705161 IP 217.198.77.156.1223> 192.168.198.17.domain:  2+ A? www.vgxaex.org. (32)

My question is 
if so lots of queries are like above, how can I defense the attack?I think that just denying the recursion is not sufficient. 
Please share your experiences and opinions.

Thanks.


> To: chul...@hotmail.com
> CC: bind-...@isc.org
> From: ma...@isc.org
> Subject: Re: how to defense against ddos attack to dns?
> Date: Tue, 17 Nov 2009 12:19:53 +1100
_________________________________________________________________
새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기.
http://windows.microsoft.com/shop

Bryan Irvine

unread,
Nov 21, 2009, 12:14:15 AM11/21/09
to MontyRee, bind-...@isc.org
Basically, you have to have a big enough server/cluster of servers, to
absorb an attack.

No real defense from distributed dos.

2009/11/16 MontyRee <chul...@hotmail.com>:


>
> Hello, all.
>
>
> I have operated some dns servers and I'm curious what should I do if
> ddos attck to my dns servers.
>
> So do you know how to defense against dns dddos attack like root server?
>
> Surely, various ddos attack may be occurred.
>
> My idea is..
>
>
> -. filtering 53/udp traffic that the byte is over 512 byte
> -. rate-limit against 53/udp queries
> (but useless if the attack spoof the source ip)
> -. deny recursion
> -. anycast?
>
>
> Is ther any comments or proposal?
>
>

> Thanks in advance.
>
>
>
>
> _________________________________________________________________
> 새로운 Windows 7: 일상 작업을 단순화하세요. 여러분에게 맞는 최상의 PC를 찾으세요.
> http://windows.microsoft.com/shop
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

big bond

unread,
Nov 21, 2009, 9:26:28 AM11/21/09
to bind-...@isc.org
We use Cisco Detector+Guard to protect our network infrastructure from network-level attacks. It's quite expansive, of cource, but you may ask your upstream provider whether it has such a service called "DDoS Protection" or something.

2009/11/21 Bryan Irvine <sparc...@gmail.com>
0 new messages