>>>>> On Wed, 16 Feb 2000 12:02:22 -0800, Drew Smith <drewat_private> said: Drew> TESO Security Advisory Drew> 02/11/2000 Drew> Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS Drew> Traceroute) Drew> Summary Drew> =================== Drew> Nameservers which accept and forward external DNS queries Drew> may be abused as traffic amplifiers, exposing a possible Drew> threat to network integrity by bandwidth saturation (DNS Drew> Smurf). Drew> A "deaf" pseudo nameserver may be used to discover the query Drew> chain a DNS query takes through various nameservers, Drew> allowing to make a trace- route like route discovery (DNS Drew> Traceroute). Drew> </quote> Drew> Anyone have any clue how to protect a nameserver against Drew> this? Sounds like: ftp://ftp.auscert.org.au/security/advisory/AL-1999.004.dns_dos AL-1999.004 -- AUSCERT ALERT Denial of Service (DoS) attacks using the Domain Name System (DNS) 13 August 1999 [ ... ] WORKAROUND: The current tools and attacks are very straightforward and administrators can prevent their DNS servers from being used as amplifiers by configuring their servers to answer queries from unexpected sources with a small REFUSED response rather than a much larger name resolution response. [ ... ] There's a lot of detail on BIND configuration for the workaround in the advisory, and an associated patch (.../AL-1999.004.patch) to BIND. The fix is (as usual) for all points on the Internet to deny spoofed packets. Another case of the unscrupulous forcing the Internet to become less helpful and friendly. -jml
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:54 PDT