3

We are running an IIS server with DNS and a site owner asked us to run a specific security scan. Our site passed but we were warned with this and I'd like to clean it up and I'm a little unfamiliar how to set this up properly.

Description: DNS Server Spoofed Request Amplification DDoS

Synopsis: The remote DNS server could be used in a distributed denial of service attack.

Impact: The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer which is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server.

See also : http://isc.sans.org/diary.html?storyid=5713

Data Received: The DNS query was 17 bytes long, the answer is 353 bytes long.

Resolution: Restrict access to your DNS server from public network or reconfigure it to reject such queries.

We have turned recursion off but I'm unaware what other setting it may be picking up and flagging for this, and especially do not want our server to be used to help or fall under any type of DDoS attack.

Thanks.

Andrew T
  • 133
  • 1
  • 8

1 Answers1

2

If your DNS server is authoritative for a publicly accessible domain, which I'm guessing is the case for you, then there's not a lot more you can do. The warning is due to the fact that your DNS server will respond to any request, which a public facing authoritative server will need to do.

In a spoofed request amplification attack, the source address of the DNS request is spoofed such that replies from the DNS server will be sent to the target (victim) host instead of the source. In addition to disabling recursion, filters can be put in place to reject packets with spoofed source addresses in order to mitigate these attacks. This would need to be performed by your routers or firewalls, though. Doing so will not prevent this warning from coming up in the security scan but you would then have evidence that you have taken action to mitigate the threat.

squillman
  • 37,883
  • 12
  • 92
  • 146