Avoiding being used as DDoS reflector.

Chris Buxton cbuxton at menandmice.com
Mon Jan 19 17:49:44 UTC 2009 

On Jan 19, 2009, at 7:48 AM, John Wobus wrote:
> Nathan Ollerenshaw escreveu:
>>
>> I have an Authoritative BIND server. It is configured to only allow  
>> recursive queries from localhost, with recursion disabled for any  
>> remote clients.
>>
>> If you attempt to perform a recursive query against this server, it  
>> will respond with a "query refused" packet, as this is what BIND  
>> does if you try to recursively query a server configured to  
>> disallow recursive queries.
>> [ ........ ]
>> Any ideas? Anyone facing this same problem found a solution? I'd be  
>> glad to hear it :)
>

>
> If you need 53 to answer for authoritative zones, you could run two  
> bind instances, one for your caching server,
> the other for the authoritative data.  Then a firewall or instance- 
> wide black-hole config would take care of it.
> Not too inspired a solution, but it's all I can think of.
>
> I fear that what you are seeing is difficult to handle, thus may  
> well become only more popular as time passes,
> especially if it really does cause trouble for the victim. If the  
> traffic is negligible for you, then does it really
> hurt the victim?  How would they be harmed?  Is the victim someone  
> who queries your authoritative
> server enough to get some confusing "hits" of matching port, ID, and  
> server of outstanding queries?  Even if you
> block recursive error returns, would an attack using valid  
> authoritative answers be equally harmful to the victim?

What's happening is, the attacker uses a botnet to send recursive  
packets for ./IN/NS (or any other query likely to get a large  
response) to a large number "reflectors", using a spoofed source  
address (the address of the target).

one controller
100000 bots
1000000 reflectors (per second - they can change from one second to  
another)
one target

The controller (the bot herder) already has an efficient way to  
control his botnet. Each bot (a compromised machine, usually running  
Windows, that's owned by an unsuspecting normal person) sends 10 DNS  
packets per second to 10 different servers - not very much traffic.  
Each reflector, a DNS server that accepts any kind of query from the  
Internet, sees 1 query per second (or less) - a very small amount of  
traffic. So none of these machines are seeing much load.

The target gets one million bogus responses per second.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list