An attack on DNS udp port 53 is been spreading out these days. The attacker uses botnets to send out UDP packets using a fake SRC IP address for a DNS request. When the DNS server replies to this query, he sends it to that false address.
Pakets look like this:
QUERY: ANY? isc.org
The source IP is a fake, but every DNS servers configured with root hints will answer to this paket. Problem here:
Request size: 78 bytes
Answer size: 3656 bytes
So this is a 46x multiplier for DDOS attacks. Nice idea, bad for DNS server owners. There are a lot of websites talking about this issue:
Protection against isc.org any attack
How to block DNS Amplification Attack isc.org any attack
How to Launch a 65Gbps DDoS, and How to Stop One
Is Your Open DNS Resolver Part of a Criminal Conspiracy?
[issue-1] Routers don’t follow BCP38
So the problem has two sources; first the internet routers that allow pakets being transported with source addresses that aren’t from ranges behind those routers. Or in other words: Why should a router forward a packet from a source he already knows for a different gateway in his routing table? There’s a routing “best common practice” no. 38 that describes this as follow:
IF packet's source address from within [its assigned space]
THEN forward as appropriate
IF packet's source address is anything else
THEN deny packet
Thanks to Chip Marshall from dyndns.org for publishing this information. His post is here.
More Information about BPC38 can be found here:
[issue-2] DNS recursion
The other reason is, a DNS server published in the internet should only answer queries for his zones. But most DNS servers are configured to perform recursive DNS queries on behalf of its clients. This is the reason, why this attack has spreaded out.
To disable recursion on Windows DNS Servers:
- Right-click the DNS server and click Properties
- Select the advaned tab
- under Server options, select “Disable recursion” check box
- Save using the OK button
More Information in TechNet: http://technet.microsoft.com/en-us/library/cc771738.aspx
Another way could be removing all root hints and forwarders from the config. But disable recursion is the easiest and most common.
Alert from US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A