[Sysadmins] Eircom DNS woes...

Colm MacCárthaigh colm at allcosts.net
Wed Jul 15 09:09:23 IST 2009


On Wed, Jul 15, 2009 at 9:02 AM, Brian Boyle<brian.boyle at heanet.ie> wrote:
> Can this help with a DDoS aimed at DNS poisoning though? In that case,
> the packets will pass any filter check, unless there's a stateful firewall
> in the way, which itself would probably become the point of failure.

It can, a little. For example, let's say that www.rte.ie is being
spoofed as part of the attack. The DDoS style cache poisoning
mechanisms require the attackers to spoof answers either from the root
nameservers, the IE nameservers, or the RTE nameservers. Since Eircom
and RTE both peer at INEX, using strict RPF might offer some
protection against that one. Many of the IE nameservers are reachable
that way too, and one of the root servers. So that helps.

The next thing that a network admin could do is to analyse the hop
counts to each of the root servers, each of the IE nameservers and so
on, and to enable ttl-based ACLs (with a range of +/- 2 or so, to
handle path changes) as a temporary measure. That might cut out enough
traffic to get way below the volume needed to successfully spoof an
answer to a cache.  But it does take some analysis and automation.

-- 
Colm



More information about the Sysadmins mailing list