On January 18, 2009, the SANS Internet Storm Center reported the first instances of what is now being described as a DNS DDOS (distributed denial of service) attack (see http://isc.sans.org/diary.html?storyid=5713).
The attack is simple: the attacker spoofs the victim's source address in a DNS query for '.' (dot) to a DNS server, which then generates a much larger response to be sent to the victim. This is also known as an amplification attack whereby the attacker's traffic is amplified 10-fold by the natural DNS response. The purpose of the attack is to generate as much traffic as possible to victim's system (the spoofed address used) or network.
It is also quite likely that the owner or administrators of the participating DNS server are completely unaware that their system is being used in this way. In fact, if the queries are successfully answered, then most logging levels will not report this activity at all.
The attack takes advantage of certain configurations on the part of the participating DNS server. This includes all BIND and Microsoft DNS servers.
For Adonis, the results are as follows:
v5.5.0 and v5.5.1With recursion enabled:
Check that "allow-query-cache" is not set to allow more than "allow-recursion". If they do not conflict, then the server will deny the request and defeat the attack.
With recursion not enabled:
Set additional-from-cache no; the server will deny the request and defeat the attack.
v5.1With recursion enabled:
The system will respond to these requests regardless of any other settings. We recommend disabling recursion on external facing Adonis systems.
With recursion disabled:
Set additional-from-cache no, set additional-from-auth no; the server will deny the request and defeat the attack.
You can also see various other mechanisms to detect and protect against this attack on the SAN site (see http://isc.sans.org/diary.html?storyid=5713).
Neither ISC nor CERT have issued any advisories, vulnerability or other notices, indicating that this is not considered a major problem. Reports on the incidence of attacks have been low in number.