how to defense against ddos attack to dns?

MontyRee chulmin2 at hotmail.com
Fri Nov 20 22:14:59 UTC 2009 



Hello, 
I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/)
this program generates 
(1) lots of queries (2) queried domains are randomly (3) source ip can be spoofed to the destination.
below is an example(192.168.198.17 is victim) 
07:09:11.658811 IP 167.187.119.211.4500> 192.168.198.17.domain:  2+ A? www.aocddv.biz. (32)07:09:11.775809 IP 206.140.182.86.1233> 192.168.198.17.domain:  2+ A? www.bvthus.org. (32)07:09:11.891780 IP 157.160.17.164.3454> 192.168.198.17.domain:  2+ A? www.oftinx.net. (32)07:09:12.008021 IP 27.71.230.67.56566> 192.168.198.17.domain:  2+ A? www.nnqsts.net. (32)07:09:12.123998 IP 202.193.203.54.1320> 192.168.198.17.domain:  2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 217.53.229.167.22211> 192.168.198.17.domain:  2+ A? www.ahnxuj.biz. (32)07:09:12.357514 IP 208.133.39.51.435435> 192.168.198.17.domain:  2+ A? www.sdhvmu.org. (32)07:09:12.472896 IP 80.168.228.221.5464> 192.168.198.17.domain:  2+ A? www.juewou.com. (32)07:09:12.705161 IP 217.198.77.156.1223> 192.168.198.17.domain:  2+ A? www.vgxaex.org. (32)

My question is 
if so lots of queries are like above, how can I defense the attack?I think that just denying the recursion is not sufficient. 
Please share your experiences and opinions.

Thanks.


> To: chulmin2 at hotmail.com
> CC: bind-users at isc.org
> From: marka at isc.org
> Subject: Re: how to defense against ddos attack to dns? 
> Date: Tue, 17 Nov 2009 12:19:53 +1100
> 
> 
> In message <BLU149-W13EF74E1E2EBA2FE9DD3F385A40 at phx.gbl>, MontyRee writes:
>> 
>> Hello, all.
>>  
>> I have operated some dns servers and I'm curious what should I do if 
>> ddos attck to my dns servers.
>>  
>> So do you know how to defense against dns dddos attack like root server?
>>  
>> Surely, various ddos attack may be occurred.
>>  
>> My idea is..
>>  
>> -. filtering 53/udp traffic that the byte is over 512 byte
>> -. rate-limit against 53/udp queries
>>    (but useless if the attack spoof the source ip)
>> -. deny recursion 
>> -. anycast?
>>  
>> Is ther any comments or proposal?
> 
> How you defend against a DoS attack depends on the actual attack
> and what services you are attempting to provide and to whom.  You
> want to minimise collateral damage and some of the methods above
> are likely to introduce collateral damage.
> 
>> Thanks in advance. 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
 		 	   		  
_________________________________________________________________
새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기.
http://windows.microsoft.com/shop

More information about the bind-users mailing list