On Nov 5, 2010, at 5:23 AM, Richard Haakma wrote:
It was receiving DNS requests from ip addresses in the same /24 as itself, but the requests were coming from outside the network.
This is a DNS reflection/amplification attack, which is predicated upon a) DNS servers misconfigured as open recursive resolvers and b) lack of anti-spoofing on network edges where bots are present. The largest DDoS attacks we see are launched this way (49gb/sec is the largest attack I've personally seen/worked).
So I recommend that the router or firewall in front of any nameserver be set so that it does not accept source addresses belonging to thelocal network from outside of the network.
Never, ever put a stateful firewall in front of any kind of server - there's no state to inspect, and it's a DDoS chokepoint due to trivial state-table exhaustion of even the largest firewalls by bots sending programmatically-generated 'legitimate' traffic in order to crowd out real user traffic. Instead, use stateless ACLs in hardware-based routers/layer-3 switches to enforce policy.
With regards to disabling open recursion, this is best accomplished a) by deploying a logically-separated, bulkheaded DNS architecture and b) properly configuring one's DNS servers.
See https://files.me.com/roland.dobbins/k54qkv for more BCP discussion.
-----------------------------------------------------------------------
Roland Dobbins