Nameserver Traffic Amplification and NS Route Discovery Vulnerability

Nameserver Traffic Amplification and NS Route Discovery Vulnerability

Solution:
This vulnerability is, in essence, a failing in the default configuration of popular name servers. As is the case with most other amplification problems, if configured properly, a name server cannot be used to conduct this attack. Administrators should take care to not allow recursive queries from their nameservers, except from trusted hosts or networks. For bind, the option to set is the "allow-query" option. By setting this to a list of hosts or networks allowed to query recursively, one can prevent their servers from being used as an amplification site.

There is no easy way to prevent your network from being targeted in this manner. Filtering packets destined for port 53 on hosts which do not run a name server will only prevent traffic of this type from getting behind your firewall or router; it can still potentially affect your bandwidth. A possible method to combat in progress attacks would be to set up a dummy nameserver on the host being targeted, which will respond to all queries with bogus information. This will prevent some of the bandwidth amplification from being effective.

The post detailing this vulnerability makes special note that having even one nameserver capable of being used to conduct this attack can still allow an attacker to utilize your other nameservers, assuming the vulnerable nameserver can query the other nameservers.