DNS DDoS attacks

Great ! I had the chance to see DNS DDoS taking place.

A zombie was using faked source IP address to query the NS of root domain. The hidden attacker was trying to find a open recursive resolver to flood packets to the victim with IP address My resolver has open recursive prohibited so the requests were denied. Actually, if the target resolver had open recursive not closed, for each query packet with 45 bytes, it returned an answer with about 400 bytes. Hence the amplification factor is great, almost 10 times.

Though the action taking place was harmless to my server and the loading was light, yet it generated about 10k lines everyday in log file. I have to use iptables to block udp with packet length 45 bytes which is the exact packet size of performing ns query on root domain, syntax as below:

#iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
Bingo, it blocks as expected.

No comments: