@@ -713,6 +713,47 @@ effects in and beyond China.
713713 <https://dl.acm.org/doi/10.1145/2317307.2317311> `__. Computer
714714 Communications Review, July 2012.
715715
716+ .. sidebar :: DNS Amplification Attacks
717+
718+ *There is a class of denial-of-service (DoS) attack that leverages
719+ the properties of DNS to attack other systems, rather than being an
720+ attack on DNS itself. Recall that DNS is UDP-based. A name server
721+ sends a response back to the IP address from which a query was
722+ sent, and since there is no TCP connection to establish, it is
723+ relatively easy to use a fake source address in a query. In this
724+ case, the name server can be tricked into sending traffic to some
725+ unsuspecting host. And it is not hard to see how this can be turned
726+ into a * distributed *denial-of-service attack: many hosts (e.g., a
727+ set of hosts in a botnet) can make coordinated requests to a set
728+ of name servers, with all the requests using the same spoofed
729+ source address. Not only does this lead to a lot of traffic heading
730+ to the target address, but the name servers can be make to perform
731+ a traffic * amplification *function, because the response to a DNS
732+ query can be much larger than the query that triggered it. In
733+ particular, the DNS query type "ANY" causes all records for a
734+ domain to be returned, which can be a lot of data returned for a
735+ simple query. The handling of such queries has recently been
736+ clarified in an RFC to reduce the impact of ANY queries, but that
737+ is not a complete solution to DNS amplification attacks. *
738+
739+ *Three main steps can be taken to reduce these attacks. The first
740+ is to avoid the deployment of "open" resolvers, i.e., resolvers
741+ which will accept queries from anywhere. For example, the resolver
742+ for an enterprise should be configured such that only clients
743+ within that enterprise can send queries to it; it should not accept
744+ queries from the broader Internet. *
745+
746+ *The second step is source address validation. Source address
747+ filtering is a tool that can be applied at the boundaries of
748+ autonomous systems to reject traffic with spoofed source
749+ addresses. It may not be 100% effective but it will reduce the
750+ effectiveness of large scale attacks. *
751+
752+ *Finally, there are ways to deal with DoS attacks such as the use
753+ of content distribution networks and black-holing of DoS
754+ traffic. We discuss these further in Chapter 9. *
755+
756+
716757
717758
7187598.2.1 DNS Security Extensions (DNSSEC)
0 commit comments