Last week, the largest DDoS on record hit the Internet leveraging what is known as a DNS Amplification attack.
The U.S. Government’s US-CERT is now warning about the risks associated with DNS Amplification attacks and providing some guidance on how they can be mitigated.
The first step in preventing and mitigating against the risks of DNS Amplification attacks is to properly configure recursive DNS servers.
US-CERT advises that many DNS servers are intended to only be used for a single domain and should not enable recursion at all.
“For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients,” US-CERT advises. “These requests should typically only come from clients within the organization’s network address range.”
Going a step further, DNS Amplification attacks use spoofed IP addresses. US-CERT suggests that Internet Service Providers deny any DNS traffic with spoofed addresses. The suggestion that ISPs deny spoofed IP addresses is not a new idea. The IETF issued a ‘Best Current Practice’ document in 2000, advising ISPs to filter traffic for forged IP addresses.