Weblog entry #307 for simonw
The attack is ongoing still!
That evening, logged into our authoritative name servers, and fixed up the DNS named.conf.options so recursive queries were refused (the default Debian config results in authoritative servers providing a referral rather than a refusal to recursive queries), as the config on those running Etch was wrong.
It is vital that the response to queries for which you aren't authoritative is as small as possible to save both your own bandwidth, and that of the victim. Specifically smaller than the request, as that makes using reflectors like this less useful than a more direct attack.
You can use "dig" to establish this for your authoritative name servers:
Currently they are using the query "name servers for root (.)" hence:
dig @IP.AD.DR.SS . ns | grep MSG
Should return something like:
;; MSG SIZE rcvd: 17
A result of about 272 bytes (not 17) shows the query is answered, or a referral took place - not good.
In Lenny BIND9 you want:
In Etch BIND9 you may also need:
Either ways restart named, and check that the responses are correct!
On returning from leave I noted that one of our clients collocated servers is providing open recursion, and all the DNS traffic to it I can see appears to be DDoS attacks against these addresses.
Queries are either ". ns" or "aol.com txt"
Comments on this Entry