Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Preventing Use of Recursive Nameservers in Reflector Attacks (RFC5358)

IP.com Disclosure Number: IPCOM000175677D
Original Publication Date: 2008-Oct-01
Included in the Prior Art Database: 2008-Oct-18
Document File: 8 page(s) / 15K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Damas: AUTHOR [+2]

Abstract

This document describes ways to prevent the use of default configured recursive nameservers as reflectors in Denial of Service (DoS) attacks. It provides recommended configuration as measures to mitigate the attack.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 18% of the total text.

Network Working Group                                           J. Damas Request for Comments: 5358                                           ISC BCP: 140                                                        F. Neves Category: Best Current Practice                              Registro.br                                                             October 2008

       Preventing Use of Recursive Nameservers in Reflector Attacks

Status of This Memo

   This document specifies an Internet Best Current Practices for the    Internet Community, and requests discussion and suggestions for    improvements.  Distribution of this memo is unlimited.

Abstract

   This document describes ways to prevent the use of default configured    recursive nameservers as reflectors in Denial of Service (DoS)    attacks.  It provides recommended configuration as measures to    mitigate the attack.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2    2.  Document Terminology  . . . . . . . . . . . . . . . . . . . . . 2    3.  Problem Description . . . . . . . . . . . . . . . . . . . . . . 2    4.  Recommended Configuration . . . . . . . . . . . . . . . . . . . 4    5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5    6.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5    7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 5      7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 5      7.2.  Informative References  . . . . . . . . . . . . . . . . . . 6

 Damas & Neves            Best Current Practice                  [Page 1]
 RFC 5358        Preventing Rec. NS in Reflector Attacks     October 2008

 1.  Introduction

   Recently, DNS [RFC1034] has been named as a major factor in the    generation of massive amounts of network traffic used in Denial of    Service (DoS) attacks.  These attacks, called reflector attacks, are    not due to any particular flaw in the design of the DNS or its    implementations, except that DNS relies heavily on UDP, the easy    abuse of which is at the source of the problem.  The attacks have    preferentially used DNS due to common default configurations that    allow for easy use of open recursive nameservers that make use of    such a default configuration.

   In addition, due to the small query-large response potential of the    DNS system, it is easy to yield great amplification of the source    traffic as reflected traffic towards the victims.

   DNS authoritative servers that do not provide recursion to cl...