Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Aaron Hopkins
Sun Feb 15 22:00:48 CET 2009


On Sun, 15 Feb 2009, Greg A. Woods; Planix, Inc. wrote:
> On 15-Feb-2009, at 3:43 AM, Robert Edmonds wrote:
>> cache snooping can also facilitate amplification attacks, see RFC 5358.
>
> No, not without recursion enabled it can't.

In the last month, there've been a number of multi-day amplification attacks
using spoofed "NS ." queries to ~750,000 nameservers.  The requests were 45
bytes and the responses were ~500 bytes, making this 11 to 1 amplification.
The victims (the spoofed sourced addresses) were seeing 5 gigabits of
responses.

See http://www.theregister.co.uk/2009/02/10/new_dns_amplification_attacks/
for the overview and the thread starting with
http://www.merit.edu/mail.archives/nanog/msg14429.html for the details of
one of the attacks.

There aren't 750,000 nameservers authoritative for ".", so why did they all
respond to it?  They all either have recursion enabled for the world, or
they allow cache snooping.  If your nameservers respond to requests from
anywhere for "dig . ns @your.ns.ip" with anything but Refused, they probably
were participating.

                                     -- Aaron