how to defense against ddos attack to dns?
MontyRee
chulmin2 at hotmail.com
Fri Nov 20 22:14:59 UTC 2009
Hello,
I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/)
this program generates
(1) lots of queries (2) queried domains are randomly (3) source ip can be spoofed to the destination.
below is an example(192.168.198.17 is victim)
07:09:11.658811 IP 167.187.119.211.4500> 192.168.198.17.domain: 2+ A? www.aocddv.biz. (32)07:09:11.775809 IP 206.140.182.86.1233> 192.168.198.17.domain: 2+ A? www.bvthus.org. (32)07:09:11.891780 IP 157.160.17.164.3454> 192.168.198.17.domain: 2+ A? www.oftinx.net. (32)07:09:12.008021 IP 27.71.230.67.56566> 192.168.198.17.domain: 2+ A? www.nnqsts.net. (32)07:09:12.123998 IP 202.193.203.54.1320> 192.168.198.17.domain: 2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 217.53.229.167.22211> 192.168.198.17.domain: 2+ A? www.ahnxuj.biz. (32)07:09:12.357514 IP 208.133.39.51.435435> 192.168.198.17.domain: 2+ A? www.sdhvmu.org. (32)07:09:12.472896 IP 80.168.228.221.5464> 192.168.198.17.domain: 2+ A? www.juewou.com. (32)07:09:12.705161 IP 217.198.77.156.1223> 192.168.198.17.domain: 2+ A? www.vgxaex.org. (32)
My question is
if so lots of queries are like above, how can I defense the attack?I think that just denying the recursion is not sufficient.
Please share your experiences and opinions.
Thanks.
> To: chulmin2 at hotmail.com
> CC: bind-users at isc.org
> From: marka at isc.org
> Subject: Re: how to defense against ddos attack to dns?
> Date: Tue, 17 Nov 2009 12:19:53 +1100
>
>
> In message <BLU149-W13EF74E1E2EBA2FE9DD3F385A40 at phx.gbl>, MontyRee writes:
>>
>> Hello, all.
>>
>> I have operated some dns servers and I'm curious what should I do if
>> ddos attck to my dns servers.
>>
>> So do you know how to defense against dns dddos attack like root server?
>>
>> Surely, various ddos attack may be occurred.
>>
>> My idea is..
>>
>> -. filtering 53/udp traffic that the byte is over 512 byte
>> -. rate-limit against 53/udp queries
>> (but useless if the attack spoof the source ip)
>> -. deny recursion
>> -. anycast?
>>
>> Is ther any comments or proposal?
>
> How you defend against a DoS attack depends on the actual attack
> and what services you are attempting to provide and to whom. You
> want to minimise collateral damage and some of the methods above
> are likely to introduce collateral damage.
>
>> Thanks in advance.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
_________________________________________________________________
새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기.
http://windows.microsoft.com/shop
More information about the bind-users
mailing list