New reports of DNS amplification / DDoS attacks

Tuesday, 10 August 2010

Over the past few days, a number of Simple DNS Plus users have reported that they are receiving a lot of incoming DNS requests for <root> and/or various unknown domain names - typically originating from a limited number of IP addresses. We have also noticed reports of this with other DNS servers on various forums etc.

If you see something similar, this may be an indication that someone is abusing your DNS server as part of a so-called DNS amplification attack against a third party - the owner of the IP address that the DNS requests appear to originate from.
By sending a DNS request from a spoofed IP address, the attacker attempts to trick your DNS server into sending a DNS response packet to the victim and thereby become part of a DDoS attack. Typically the request is designed to trigger a response packet which is larger than the original request packet - thus the amplification.

We do NOT recommend blocking the sender's IP address on your firewall, with IPSec, or anything else at the IP address level - that is exactly what the attacker wants you to do! By blocking the apparent sender IP addresses, you are really blocking the victim rather than the attacker - because the sender IP address is spoofed as the victim's.
The aim of the attack is twofold: (1) overload the victim's Internet connection with large DNS responses, and (2) make everybody firewall the victim, so he can't use his connection even after the attack.

The best way to counter this type of attack is to make your DNS server unattractive as a "way-point". You do this by configuring Simple DNS Plus to either ignore or refuse lame requests.

First, in the Options dialog / DNS / Resolver / Recursion section, either turn off recursion completely if you don't need it, or limit it to your own IP address range(s):

Then, in the Lame Requests section, select either "Respond with a Refused error message" or "Do not respond":

Generally we recommend using the "Refused" option as this makes it easier to troubleshoot other DNS issues. However if this attack is continuously hitting your server, you will do the victim a favor using the "Do not respond" option. When no longer under attack, you can switch to the "Refused" option which still ensures that your server is not attractive as a way-point for this type of attack - since it won't amplify traffic.

If the requests are mostly for <root>, another way to deal with this traffic, and keep it out of the log at the same time, is the "Ignore all DNS requests for <root>" feature found in the Miscellaneous section:

 
 
Connect