Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Do More to Prevent DNS DDoS Attacks

3 April 2013
By Dave Piscitello

Dave Piscitello, on behalf of the ICANN Security Team

In recent weeks, numerous high profile organizations and financial institutions have been targets of massive service disruption attacks. Several of these attacks are characteristically similar to attacks against top level domain name servers in 2006. ICANN’s Security and Stability Advisory Committee published an Advisory, SAC008 [PDF, 963 KB]: Distributed Denial of Service (DDoS) Attacks, shortly after the 2006 incidents. Recommendations from that Advisory remain relevant today.

We encourage private organizations, service operators and governments to carefully consider the recommendations from SAC 008, which describe the best known means to mitigate DDoS attacks.

“the most effective means of mitigating the effects of… numerous DoS attacks is to adopt source IP address verification” – SAC008

DDoS attacks commonly use IP addresses that are not allocated to the subscriber or IP addresses from reserved/private space to make it difficult to identify sources of attack traffic. This is called IP address spoofing. Access service providers or corporations should apply network ingress filtering (described in SAC004 and recommended by the Internet IAB in BCP038) to prevent spoofing. Squelching attack traffic close to its origins has the added benefit of relieving ISPs from forwarding malicious or criminal traffic. Everyone benefits when every operator filters spoofed source addresses, except would be attackers.

“Document operational policies relating to countermeasures… to protect [your] name server infrastructures against attacks that threaten [your] ability to offer service, give notice when such measures are implemented, and identify the actions affected parties must take to have the measures terminated.” – SAC008

I recently wrote an article, Preparing for the (Inevitable) DDoS Attack, that describes how to develop policies and prepare a response should your organization come under attack.

“disable open recursion on name servers from external sources and only accept DNS queries from trusted sources to assist in reducing amplification vectors for DNS DDoS attacks – SAC008

When open recursion is enabled on a DNS server, that server will accept DNS queries from any client (any IP source address). Attackers exploit open recursive servers in DDoS attacks and amplification attacks. US-CERT Alert TA13-088A recommends that all DNS operators:

  • Disable recursion on authoritative name servers
  • Limit recursion to authorized clients, and
  • Rate limit responses of recursive name servers

Alert TA13-088A also identifies ways for every organization to test whether any of its name servers are open resolvers, and lists sources that describe how to do so for major operating system and name server software. (Note: TA13-088A does not have a resource for Microsoft DNS server, try here.)

The ICANN Security Team encourages you to help mitigate this increasing threat to security, stability, and resiliency.


Dave Piscitello