Churchill Agu
asked on
IN this case i work for an ISP company....What do you advice as a possible fix
I had this question after viewing DNS Amplification DDoS Attacks.
IN this case i work for an ISP company....What do you advice as a possible fix
IN this case i work for an ISP company....What do you advice as a possible fix
ASKER
Thanks for the response Johnson but i do not understand the second scenario?
As an ISP you probably host DNS services (recursive) for your customers as part of your DHCP routines.
Your customers may have their own dns servers for their local network and they may configure it to be also available to the WAN
If they are targeted as an open DNS server to be used as a source of the dns amplification it could adversely affect ALL of your customers. As part of your security team check your ip range for open DNS servers and send the account admin a notice and see if they really need their DNS to be available from the WAN.
Your customers may have their own dns servers for their local network and they may configure it to be also available to the WAN
If they are targeted as an open DNS server to be used as a source of the dns amplification it could adversely affect ALL of your customers. As part of your security team check your ip range for open DNS servers and send the account admin a notice and see if they really need their DNS to be available from the WAN.
1) only allow genereric DNS requests from your customers, not from the world at large... (you don't aim to provide 1.1.1.1, 8.8.8.8 or 9.9.9.9 i guess).
(validate the origin of those packets..., they should actually be comming from the "inside" of your firewall between the internet and your customers)
2) better verify response packets? (disallow outgoing DNS packets, UDP source port 53) that are larger than 512 bytes payload?
3) rate-limit answers?
4) Are your customers running DNS?, dedicated for Their domains (ok no problem) or open DNS servers..., the latter should be disallowed/discouraged.
These are guys that should know about their business.
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
(validate the origin of those packets..., they should actually be comming from the "inside" of your firewall between the internet and your customers)
2) better verify response packets? (disallow outgoing DNS packets, UDP source port 53) that are larger than 512 bytes payload?
3) rate-limit answers?
4) Are your customers running DNS?, dedicated for Their domains (ok no problem) or open DNS servers..., the latter should be disallowed/discouraged.
These are guys that should know about their business.
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
Using a Cisco router, for example, traffic can be sent to the null0 interface; this interface automatically drops all traffic. If you know the source address range(s) of a DDoS attack, you can drop that traffic by configuring the router to send the attacking range to null0, i.e. If DDoS fill the uplink, then we do null0 route manually to Blackhole target IP such as BGP blackhole method.
For more information about DoS controls, visit www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html
https://www.noction.com/blog/bgp-blackhole-community
https://www.cloudflare.com/learning/ddos/glossary/ddos-blackhole-routing/
For more information about DoS controls, visit www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html
https://www.noction.com/blog/bgp-blackhole-community
https://www.cloudflare.com/learning/ddos/glossary/ddos-blackhole-routing/
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
If one of your customers has port 53 open to the internet inform them of the problem and ask that they don't allow dns lookups over the internet