[dns-wg] Name servers problems

----- Original Message ----- 
From: "Jaap Akkerhuis" <jaap at NLnetLabs.nl>


> For those not on NANOG, on that list is quite some discussion going
> on about using (recursive) name servers for amplicication attacks.
> The discussion starts at
> http://www.merit.edu/mail.archives/nanog/threads.html#16000.o
>
> There is a special mailing list devoted on this problem by the isc:
> http://lists.oarci.net/mailman/listinfo/dns-operations, and this
> list is open to anyone.
>
> There is an US cert warning about this:
> http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf.
>
> The upshot is: Close your open recursive nameservers.
>
> Other info: http://dns.measurement-factory.com/surveys/sum1.html
> and a plug for a secure template by the cymru guys:
> http://www.cymru.com/Documents/secure-bind-template.html
>
> Maybe all this is worth a slot at the coming dns-wg (or eof) meeting?
>
> jaap
>
> Acknowledgement: Information compiled from messages from Harvey
> Allen, Lucy Lynch, Rob Thomas and others.
>
>

It might be worth mentioning that DNS is not the only service being abused 
for this kind of attack. Strictly speaking, any service replying to spoofed 
packets with more data than what they received are affected. That includes 
the tcp protocol and also authorative namservers (tip: dig -t a b.n 
@a.nic.fr)  that respond to queries. But recursive nameservers are obviously 
an easier target.. for now.



j
(which finds it interesting that people are discussing this issue now and 
not in around year 2000 which was, at least for me, the first time I noticed 
this problem.)