Today, we share a blog post from Looking Glass’ Director of Product Management, Patrick Lynch, as he discusses distributed denial of service (DDoS) attacks on DNS root servers.
There are a number of actions that are available to an ISP that mitigate both the attacks on the DNS root servers, and on the ISP itself:
- Ingress filtering by source IP address – Routers can enforce BCP38 that only allows traffic to originate with source IP addresses that are valid for that ISP. This will also prevent source and destination addresses from being the same.
- If Ingress filtering is not practical, then having a DNS firewall will provide similar capabilities to ingress filtering as well as additional capabilities such as:
- Only allow queries from allowed IP ranges
- Rate limit queries by source IP or destination IP to prevent volumetric attacks
- Rules that prevent DNS responses (as opposed to queries) going to the root servers
- When an upstream DNS server is busy (as in a DDOS attack), automatically generate a server unavailable error and do not add to the DDOS attack
Securing DNS is challenging given the nature of the protocol and the fact that the DNS ports must be left open to ensure continuous delivery of DNS services to Internet attached devices.