On Fri, 05 Nov 2010 11:30:26 Dobbins, Roland wrote:
This is a DNS reflection/amplification attack, which is predicated upon a) DNS servers misconfigured as open recursive resolvers and b) lack of anti-spoofing on network edges where bots are present. The largest DDoS attacks we see are launched this way (49gb/sec is the largest attack I've personally seen/worked).
Believe the previous poster was saying the DNS server wasn't an open recursive resolver - would only respond to queries from local addresses.
Never, ever put a stateful firewall in front of any kind of server - there's no state to inspect, and it's a DDoS chokepoint due to trivial state-table exhaustion of even the largest firewalls by bots sending programmatically-generated 'legitimate' traffic in order to crowd out real user traffic. Instead, use stateless ACLs in hardware-based routers/layer-3 switches to enforce policy.
Doesn't need statefulness. Packets coming in to your network from outside with the source specifying an internal IP (like 192.168.0.0/16, 10.0.0.0/8, etc) should be dropped. Even if you don't have services looking at the source address, can be used to bounce a DDoS off a publicly visible machine on to another one which is accessible only locally. If I read correctly, such a firewall would have stopped that particular DNS server from being used for amplification. Cheers, Tim