|
|
 |
Re: [dns-wg] Name servers problems
-
From: Jørgen Hovland jorgen@localhost
-
Date: Mon, 27 Feb 2006 11:39:32 +0100
----- Original Message -----
From: "Jaap Akkerhuis" jaap@localhost
For those not on NANOG, on that list is quite some discussion going
on about using (recursive) name servers for amplicication attacks.
The discussion starts at
http://www.merit.edu/mail.archives/nanog/threads.html#16000.o
There is a special mailing list devoted on this problem by the isc:
http://lists.oarci.net/mailman/listinfo/dns-operations, and this
list is open to anyone.
There is an US cert warning about this:
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf.
The upshot is: Close your open recursive nameservers.
Other info: http://dns.measurement-factory.com/surveys/sum1.html
and a plug for a secure template by the cymru guys:
http://www.cymru.com/Documents/secure-bind-template.html
Maybe all this is worth a slot at the coming dns-wg (or eof) meeting?
jaap
Acknowledgement: Information compiled from messages from Harvey
Allen, Lucy Lynch, Rob Thomas and others.
It might be worth mentioning that DNS is not the only service being abused
for this kind of attack. Strictly speaking, any service replying to spoofed
packets with more data than what they received are affected. That includes
the tcp protocol and also authorative namservers (tip: dig -t a b.n
@a.nic.fr) that respond to queries. But recursive nameservers are obviously
an easier target.. for now.
j
(which finds it interesting that people are discussing this issue now and
not in around year 2000 which was, at least for me, the first time I noticed
this problem.)
|
|
|
|
