Avoiding DNS amplification attacks

Who am I?

@deassain

Security Advisor at a Big 4 company

security.stackexchange.com contributor

cloud101.eu

What is DNS amplification?

Distributed Denial of Service Attack

Abusing flaw in the DNS protocol's architecture

Spamhaus 300 Gbit/s

Reasons

DNS request vs DNS response (UDP)

Open resolving name servers

No implementation of BCP38

DNS Request vs Response Size

30 byte request → up to 500 byte response

1 Mbit on your machine → 17 Mbit at the target machine

Amplification

Open resolvers

Resolves DNS queries for any host

Spoof UDP source to target IP address

Tons of DNS responses end up at the target

Get your machines and disable recursion from the internet! (or the crypto bear will kick your ass )

BCP38: Ingres Filtering

Works for IPv4

http://tools.ietf.org/html/rfc2827

Upstream providers only allow traffic for IP blocks for which their clients are configured

Cooperation between ISPs