Login   |   Secure Purdue > News

DNS Amplification attacks

STEAM-ADVISORY NO. 2013082601
PURDUE UNIVERSITY SECURITY TEAM CIRT
Monday, August 26 17:40:00 EDT 2013


==OVERVIEW==

We have received several external notices of open DNS servers that
answer recursive requests on the Purdue network. These servers can be
used to attack other organizations through Distributed Denial of
Service attacks (DDoS). This type of attack is known as DNS
Amplification. To prevent the Purdue network from being a launch point
for devastating attacks across the internet, we ask that you review
your DNS configuration and disable recursive requests.

==SYSTEMS AFFECTED==

Open DNS servers that answer recursive requests are used to attack other
systems at Purdue and across the Internet.

==DETAILS==

Open DNS resolvers can be abused to DDoS attacks towards web sites,
servers, and services. These attacks can deny legitimate service to
authorized users as well as cause performance side-effects for smaller
networks. This type of attack is known as a DNS amplification attack.
A small, spoofed recursive DNS request can generate a large response
sent to the target. As more illegitimate requests are made, the target
is quickly overwhelmed resulting in a denial of service.

A misconfigured DNS server can be used to participate in DDoS attacks.
This means that DNS servers in your domain that resolve recursive
requests can be used to attack other systems here at Purdue and across
the Internet. In addition to attacking remote systems, the traffic
generated by DNS amplification attacks can saturate local networks and
degrade performance for your local network and the entire campus.
Attacks originating from the Purdue network can lead to subnet
blacklisting and harm to Purdue's reputation.

==SOLUTIONS==

1) Limit DNS recursive requests to a group of authorized local
clients, if recursive requests are needed.
2) Disable recursive requests for all other clients.

Details for the configuration of BIND and Windows are included in the
articles below.

w w w .us-cert.gov/ncas/alerts/TA13-088A
technet.microsoft.com/en-us/library/cc771738.aspx
(remove spaces from links)

==VERIFICATION==

The Nmap network mapping tool can be used to verify that the DNS
resolver no longer answers recursive DNS requests. Use the following
commands, replacing <IP> with the IP address of the DNS server, to
verify that DNS recursive requests have been disabled:

$ nmap -sU -p 53 -sV -P0 --script "dns-recursion" <IP>

==FURTHER INFORMATION AND RESOURCES==

w w w .us-cert.gov/ncas/alerts/TA13-088A
w w w .openresolverproject.org
w w w .nmap.org
(remove spaces from links)

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
w w w.purdue.edu/securePurdue/incidentReportForm.cfm
w w w.purdue.edu/securepurdue/steam
(remove spaces from links)

Posted by ITSP on August 26, 2013, in Advisory Alerts.