TAM Tip: Secure your DNS Servers!

A recent DDoS attack [1] directed to SpamHaus generated close to 300 Gbps of internet traffic, and a significative amount of traffic was generated by open DNS servers [2]. US-CERT issued an alert [3], in order to reduce the surface attack, as there are approximately 25 million misconfigured exploitable DNS servers [4]. Check if your DNS server only allows recursive queries from your target networks. Also, an interesting new feature in BIND, is the Response Rate Limiting (RRL) option [5,6], which limits how much similar queries a given zone can reply to a remote host in an interval. This feature is available in the latest (bind-9.8.2-0.17.rc1.el6_4.4) RHEL6 BIND server. For more information about DNS recursion, refer to this Red Hat knowledgebase article.

 

References:

[1] Online dispute becomes internet snarling attack

[2] The DDOS that almost broke the internet

[3] Alert: DNS Amplification Attacks

[4] Open DNS Resolver Project

[5] DNS Response Rate Limiting (DNS RRL)

[6] Response Rate Limiting in the Domain Name System (DNS RRL)