[AusNOG] Attacks against DNS servers...

Tim Jackson tim at jacksons.net.au
Tue Sep 11 13:21:56 EST 2012


Poor guys over at go daddy might need some of this help.

http://news.cnet.com/8301-1009_3-57509753-83/go-daddy-serviced-web-sites-go-down-hacker-takes-credit/



On Tue, Sep 11, 2012 at 12:42 PM, Mark Tees <marktees at gmail.com> wrote:

> The main scenario i was curious about was in the case of a DDOS attack
> with a traffic volume larger than the targets pipe could handle. In which
> case it would need to be handled upstream. I was curious about the finger
> printing techniques used in devices like the Arbor gear.
>
> Separating recursive and authoritative server is something i will pretty
> much always do.
>
> On 11/09/2012, at 12:10 PM, Aqius wrote:
>
> > Hi Mark,
> >
> > At a basic level, I treat DNS DDoS attacks the same as a Synfloods
> (albeit
> > based on UDP and/or TCP vs TCP only)... IE: Ideally a network based
> firewall
> > with a high and low watermark... dropping excessive individual IP's, and
> > also dropping requests over whatever your host based resources are able
> to
> > cope with.
> >
> > This kind of stuff is pretty standard these days, along with DNS
> inspection
> > that ensures the traffic abides by the protocol guidelines. Couple that
> with
> > a blacklist and something host based (such as
> > http://freecode.com/projects/dnsflood) and I've rarely had problems I
> > couldn't deal with.
> >
> >
> > -----Original Message-----
> > From: ausnog-bounces at lists.ausnog.net
> > [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark Tees
> > Sent: Tuesday, 11 September 2012 11:46
> > To: ausnog at ausnog.net
> > Subject: [AusNOG] Attacks against DNS servers...
> >
> > Morning Noggers,
> >
> > I am curious about what filtering could be done in a distributed attack
> > scenario against authoritative DNS servers.  Assuming attack traffic is
> > coming in the form of requests that look legitimate.
> >
> > If your DNS system is running on IP space in an anycast fashion I guess
> this
> > would spread the load out a bit depending on the number of nodes.
> >
> > However, what could you scrub/filter on? Perhaps by trying to keep track
> of
> > source IPs, the time between requests, and the content of the requests?
> > Though, all of that could change quickly to suit the attack.
> >
> > Thoughts out there?
> >
> > Mark
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120911/b32a9e44/attachment.html>


More information about the AusNOG mailing list