[AusNOG] Attacks against DNS servers...
Mark Tees
marktees at gmail.com
Tue Sep 11 12:42:24 EST 2012
The main scenario i was curious about was in the case of a DDOS attack with a traffic volume larger than the targets pipe could handle. In which case it would need to be handled upstream. I was curious about the finger printing techniques used in devices like the Arbor gear.
Separating recursive and authoritative server is something i will pretty much always do.
On 11/09/2012, at 12:10 PM, Aqius wrote:
> Hi Mark,
>
> At a basic level, I treat DNS DDoS attacks the same as a Synfloods (albeit
> based on UDP and/or TCP vs TCP only)... IE: Ideally a network based firewall
> with a high and low watermark... dropping excessive individual IP's, and
> also dropping requests over whatever your host based resources are able to
> cope with.
>
> This kind of stuff is pretty standard these days, along with DNS inspection
> that ensures the traffic abides by the protocol guidelines. Couple that with
> a blacklist and something host based (such as
> http://freecode.com/projects/dnsflood) and I've rarely had problems I
> couldn't deal with.
>
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark Tees
> Sent: Tuesday, 11 September 2012 11:46
> To: ausnog at ausnog.net
> Subject: [AusNOG] Attacks against DNS servers...
>
> Morning Noggers,
>
> I am curious about what filtering could be done in a distributed attack
> scenario against authoritative DNS servers. Assuming attack traffic is
> coming in the form of requests that look legitimate.
>
> If your DNS system is running on IP space in an anycast fashion I guess this
> would spread the load out a bit depending on the number of nodes.
>
> However, what could you scrub/filter on? Perhaps by trying to keep track of
> source IPs, the time between requests, and the content of the requests?
> Though, all of that could change quickly to suit the attack.
>
> Thoughts out there?
>
> Mark
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
More information about the AusNOG
mailing list