Simple DNS Plus

Root query DNS amplification / DDoS attack

Added January 31th 2009:
We have just added a new option in Simple DNS Plus to ignore root requests (and not log them) - click here for details.
Hopefully this will make it easier to deal with this attack.

Added January 30th 2009:
We do NOT recommend blocking the sender's IP address on your firewall, with IPSec, or anything else at the IP address level - that is exactly what the attacker wants you to do (we are seeing an alarming number of suggestion on how to do that).
By blocking the apparent sender IP addresses, you are really blocking the victim rather than the attacker - because the sender IP address is spoofed as the victim's.
The aim of the attack is twofold: (1) overload the victim's Internet connection with large DNS responses , and (2) make everybody firewall the victim, so he can't use his connection even after the attack.
The best way to counter this attack is by refusing or ignoring lame DNS requests as described below.

Over the past few days several users have reported receiving a slow stream of DNS requests for the DNS root (.) from unknown IP addresses.
One alert user pointed out that this is also being reported at http://isc.sans.org/diary.html?storyid=5713

Other than taking up some extra log space, this is not really a problem for the local Simple DNS Plus server or site.
It may however be an indication that someone is using your DNS server as part of a so-called DNS amplification attack against a third party - the owner of the IP address that the DNS requests appear to originate from.
By sending a DNS request from a spoofed IP address, an attacker can trick your DNS server into sending a relatively large response (all the root records) to the victim.

We recommend that you prevent this by limiting recursion to your own IP addresses, and refuse or ignore lame requests:

In the Options dialog / DNS / Recursion section, either turn off recursion completely if you don't need it, or limit it. Do not use the "For everyone" option:

And in the Lame Requests section, select either "Respond with a Refused error message" or "Do not respond":

IMPORTANT: When registering new domain names, some registrars require that your DNS server responds with a correct list of DNS root servers as part of their tests (thus the default setting), so you may need to temporarily switch back when doing this.

As described above, we recommend using the Lame Requests options to counter this type of attack in general.
If this particular attack is continuously hitting your server, you will do the victim a favor using the "Do not respond" option. When no longer under attack, you can switch to the "Respond with Refused error message" option which still ensures that your server is not "interesting" as a waypoint for this type of attack - since it won't amplify traffic.

Comments

Simple DNS Plus

  • Home
  • Search
  • Product details

  • Features
  • Screen shots
  • Plug-ins
  • Tools & Add-ons
  • Testimonials
  • What's new
  • Release notes
  • Download

  • Download
  • Buy

  • Pricing
  • New license
  • Additional license
  • Upgrade
  • Support

  • Overview
  • Lost License Key
  • Knowledge Base
  • Online documentation
  • Contact us