Do More to Prevent DNS DDoS Attacks
Dave Piscitello, on behalf of the ICANN Security Team
In recent weeks, numerous high profile organizations and financial institutions have been targets of massive service disruption attacks. Several of these attacks are characteristically similar to attacks against top level domain name servers in 2006. ICANN’s Security and Stability Advisory Committee published an Advisory, SAC008 [PDF, 963 KB]: Distributed Denial of Service (DDoS) Attacks, shortly after the 2006 incidents. Recommendations from that Advisory remain relevant today.
We encourage private organizations, service operators and governments to carefully consider the recommendations from SAC 008, which describe the best known means to mitigate DDoS attacks.
“the most effective means of mitigating the effects of… numerous DoS attacks is to adopt source IP address verification” – SAC008
DDoS attacks commonly use IP addresses that are not allocated to the subscriber or IP addresses from reserved/private space to make it difficult to identify sources of attack traffic. This is called IP address spoofing. Access service providers or corporations should apply network ingress filtering (described in SAC004 and recommended by the Internet IAB in BCP038) to prevent spoofing. Squelching attack traffic close to its origins has the added benefit of relieving ISPs from forwarding malicious or criminal traffic. Everyone benefits when every operator filters spoofed source addresses, except would be attackers.
“Document operational policies relating to countermeasures… to protect [your] name server infrastructures against attacks that threaten [your] ability to offer service, give notice when such measures are implemented, and identify the actions affected parties must take to have the measures terminated.” – SAC008
I recently wrote an article, Preparing for the (Inevitable) DDoS Attack, that describes how to develop policies and prepare a response should your organization come under attack.
“disable open recursion on name servers from external sources and only accept DNS queries from trusted sources to assist in reducing amplification vectors for DNS DDoS attacks – SAC008
When open recursion is enabled on a DNS server, that server will accept DNS queries from any client (any IP source address). Attackers exploit open recursive servers in DDoS attacks and amplification attacks. US-CERT Alert TA13-088A recommends that all DNS operators:
- Disable recursion on authoritative name servers
- Limit recursion to authorized clients, and
- Rate limit responses of recursive name servers
Alert TA13-088A also identifies ways for every organization to test whether any of its name servers are open resolvers, and lists sources that describe how to do so for major operating system and name server software. (Note: TA13-088A does not have a resource for Microsoft DNS server, try here.)
The ICANN Security Team encourages you to help mitigate this increasing threat to security, stability, and resiliency.