DNS Amplification Attack and different results in bind 9.6/9.7
Euiho Kim
leokim111 at gmail.com
Mon Nov 14 18:51:52 UTC 2011
Hi, I wrote email 1 days ago (subject name: DDoS attack and difference
actions in bind 9.6 / 9.7)
But I wonder mail could not approach to your mailbox, so I request support
again.
First, Recently “isc.org ANY” DDoS Attack is frequently generated in our
DNS System (recursive Cache DNS)
Query type is “ANY” and I think it may be DNS Amplification Attack.
It is affecting all region in Korea, and query traffic (pps) sometimes
exceeds 160K.
Source IP’s are variable, Spoofed or infected clients.
Anyway, I have 3 questioned about this.
1. If I solve this problem (burst isc.org “ANY” query – Amplication
Attack),
Any better idea or case of blocking attack at other sites?
2. Curiosly, I found 2 different query result of “isc.org ANY”
In bind-9.6 installed server, response query rcvd msg size is 600~700 byte,
But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It
includes lots of DNSSEC RRSet.
Why response msg sizes are different depending on systems?
3. I monitored DNS traffic after attack disappeared.
It seems that Bind-9.6 servers replied all about “ISC ANY” query,
But Bind-9.7 servers almost ignored them.
I read new features of bind-9.7 doc and RELEASE-FILE.
But there were no reports preventing above attack (sort of generating large
response packet)
I have read once about preventing large RRSIG in negative query, but I
think it’s different situation compare of that.
If you know the features in bind-9.7 related to above (ignore reply),
please tell us.
Best regards,
Euiho Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111115/db36b651/attachment.html>
More information about the bind-users
mailing list