DNS reflection or DNS amplification attacks" - How to secure your DNS server?"

The nature of DNS reflection attacks and what DNS operators can do to prevent their DNS servers to be used as weapons in DNS reflection attacks.

Apr 4th, 2013

DNS Servers as weapons?

The usually stealth DNS was in the news recently when some very worrisome news surfaced last week. A feud between an anti-spam organisation (Spamhaus) and a hosting site that is accused of offering spam senders a safe haven has escalated, and the criminals used DNS and BGP to attack Spamhaus.

The press picked the story up from Cloudfare, and while the Internet was not at risk, as some wrote, the attack was big enough to bring down servers on the Internet and even single networks. That is a scary thought, especially as any one of us could be a victim of such attacks in the future. Many organizations today cannot survive very long without Internet, and once you are under attack even by just one individual, it might be difficult and expensive in terms of time and money to mitigate these attacks.

While not all parts of the recent attacks were caused by DNS, the larger part of the denial of service attack was. Experts have known about these kind of attacks (known as "DNS reflection" and "DNS amplification" attacks), and also the solutions for years. But many DNS administrators are not aware of the problem, or have not made it a priority to prevent their DNS servers from being used as a weapon for criminals. Many are running outdated DNS server software or a DNS server that is unknowingly configured to be a weapon in such attacks. The US-Cert (Computer Emergency Response Team) was prompted by the recent attacks to issue instructions on how to secure a DNS server.

How to secure your DNS server

Having your DNS server "open" doesn't only put other users of the Internet at risk, but also eats away your own resources. You network gets more saturated and your DNS service will be slowed down when your DNS server is misused for attacks. It only takes a minute to secure your DNS server so that it cannot be used as a weapon in Denial of Service attacks, and here's how:

* close down open DNS resolvers

* implement BCP38 or ask your upstream provider to implement it

* deploy DNS Response Rate Limiting on authoritative DNS Servers

* monitor your DNS servers to detect attacks

Men&Mice Webinar
"The dangers of DNS reflection attacks (and how to mitigate them)"

To help you with the task, Men&Mice is offering a FREE 1 hour WEBINAR.

This webinar will explain the nature of DNS reflection attacks and what DNS operators on Unix (BIND DNS) and Windows (Microsoft DNS) can do to prevent their DNS servers to be used as weapons in DNS reflection attacks.