Over the past few days we’ve seen a massive increase in both the number and volume of DNS Amplification Attacks using our recursive name servers. This is likely due to the fact that our new name servers provide more verbose answers and are therefore amplify traffic more effectively than our old servers. We unfortunately had to roll back blocking off-net use of our recursive servers and blocking these requests entirely is not currently an option at this time. To mitigate the effects of the attacks both on our systems and their targets, we’ve instituted rate limits on the total number of queries per second any given IP address is able to source to our servers. The rate limits are high enough that they should not interfere with any normal (and acceptable) use. However, it is possible that a customer doing bulk DNS lookups (such as log processing or running a busy mail server) may run into issues and experience intermittent delays resolving host names.
-Kelsey, Augie and Nathan
You are using RRL, yes? If not:
http://www.redbarn.org/dns/ratelimits
Really. Please.
Paul, we aren’t using response limiting in bind, but rather iptables hashlimits on inbound queries. This seems to be working fairly well as a mitigation technique. The next level will be to discard the three queries we see used in the amplification attacks.
May I propose that you look through the archives from the last six months of the DNS-OARC’s dns-operations mailing list? There have been some good threads on iptables vs. RRL for exactly the attack scenario you are seeing.
I am concerned that you will be dropping legitimate requests from your business customers (like me!).
Paul, it is a little easier to have a discussion on the forums. The rate limits are set very generously right now so and I hope that little, if any, legitimate traffic is blocked but is is possible that someone running either a busy mail server or with a fairly large group of users behind NAT could run into issues.