On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
Anyone else noticing "." requests coming in to your DNS servers?
I was surprised to see 'amplification' in the subject line here, since on my nameservers my replies are of equal length to the queries. A little bit of asking around, and I see that it is an amplification attack, preying on old software. Let me sum up; If you're running 9.4 or later, you will reply to these packets with 45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache" directive that defaults to track allow-recursion, which you should have set appropriately. If you're running 9.3 or earlier, you will reply to these queries "out of cache" (the root hints), and those replies can be 300-500 octets I think. 1:6-11. So in lieu of keeping a new up-to-date list of IP addresses to filter, as it expands and shrinks, you can greatly reduce your own footprint in these attacks with a quick upgrade. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins