I just received a revised Alert from US-Cert regarding UDP-based Amplification Attacks:
https://www.us-cert.gov/ncas/alerts/TA14-017A
Anyone operating a DNS server should be aware of this vulnerability. I have remotely maintained a DNS/Web server for many years, and a couple of months ago our DNS server was used as an attack vector against predominantly Chinese based networks. DNS uses port 53 UDP packets, which because of their nature do not verify the actual source. Therefore, the source address can be spoofed. If the DNS server offers open recursion, the responses sent to the spoofed address can be many times larger than the original request. Our server did not even offer recursion, but it was still used as an attack vector. The only way we noticed was due to the log files suddenly increasing 400 fold. Most DNS servers do not log query activity, so operators of these servers might not even know their server was being used as an attack vector.
To limit our own exposure, I wrote a filtering program that dropped duplicated queries. But in general, there is not a lot that an individual can do except restrict the IP addresses that can use their DNS server. It is really up to the ISP to perform network ingress filtering. I don't completely understand it, but the routing device would evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet.
Perhaps a Telus Tech could respond relative to how Telus handles this problem.
↧