[unisog] [REN-ISAC] Alert: DNS Smurfing

Doug Pearson dodpears at indiana.edu
Fri Dec 10 20:43:58 GMT 2004

Over the past couple of days several DNS Smurf attacks have been underway affecting research and education (R&E) and commercial networks. A typical DNS Smurf attack[1] works as follows: Many DNS queries of type = "any" are sent to multiple DNS servers. The queries contain the source-spoofed address of the target. The large responses to the queries cause link congestion and denial-of-service at the target. Not only the target suffers but DNS servers can be adversely affected by a large increase in queries. At least one U.S. R&E institution has suffered due to its server being employed in attacks.

There are no simple and effective workarounds for this problem. Protection is needed for the attack target and the DNS servers employed in the attacks. One technique that will work to reduce server vulnerability is to turn off recursive queries to non-trusted sources. Current exploit codes likely require the recursion feature. With recursion turned off the likelihood of your server being chosen for an attack is diminished.

Current levels of UDP/53 traffic in the Abilene backbone can be viewed at:

Traffic on various other ports can be monitored at:

I'd like to encourage discussion of workarounds on this mailing list.


[1] http://www.ciac.org/ciac/bulletins/j-063.shtml


Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu

More information about the unisog mailing list