[AusNOG] Attacks against DNS servers...

Aqius aqius at lavabit.com
Tue Sep 11 12:10:02 EST 2012


Hi Mark,

At a basic level, I treat DNS DDoS attacks the same as a Synfloods (albeit
based on UDP and/or TCP vs TCP only)... IE: Ideally a network based firewall
with a high and low watermark... dropping excessive individual IP's, and
also dropping requests over whatever your host based resources are able to
cope with.

This kind of stuff is pretty standard these days, along with DNS inspection
that ensures the traffic abides by the protocol guidelines. Couple that with
a blacklist and something host based (such as
http://freecode.com/projects/dnsflood) and I've rarely had problems I
couldn't deal with.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark Tees
Sent: Tuesday, 11 September 2012 11:46
To: ausnog at ausnog.net
Subject: [AusNOG] Attacks against DNS servers...

Morning Noggers,

I am curious about what filtering could be done in a distributed attack
scenario against authoritative DNS servers.  Assuming attack traffic is
coming in the form of requests that look legitimate.

If your DNS system is running on IP space in an anycast fashion I guess this
would spread the load out a bit depending on the number of nodes.

However, what could you scrub/filter on? Perhaps by trying to keep track of
source IPs, the time between requests, and the content of the requests?
Though, all of that could change quickly to suit the attack.

Thoughts out there?

Mark
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog





More information about the AusNOG mailing list