The KZ-CERT team periodically receives requests for registered DDoS attacks of the amplification type using the DNS service from IP addresses compromised by cybercriminals. The reason for this is the lack of elementary monitoring of DNS servers and network infrastructure for the relevance of software, network settings, as well as the lack of protection from external attacks.
Simply put, cybercriminals use your IP addresses as a "transmitter" to carry out DDoS attacks such as DNS amplifications. And all because the settings of DNS servers are not supported in the current state.
You can reduce the number of DDoS attacks of the DNS-amplification type and minimize the participation of your infrastructure segment by using the following actions that do not require additional material costs:
1. Periodically audit the DNS;
2. Maintain the current software version of DNS servers;
3. Hide the version of the DNS server so that the attacker could not easily obtain information about the version of your server;
4. Use equipment with IPS, IDS, AntiDDoS functions on the network, which will also strengthen protection against attacks.
5. Disable unused services on all servers.
6. Restrict recursive processing of requests only to clients of the provided service.
7. Switch to TCP as recommended by RFC5966.
If every administrator of the servers accessible from the Internet does this, the digital world will approach one more step to perfection.
Well, recommendations on what to do if your DNS server is still compromised?
1. Update the software of DNS servers;
2. Enable filtering on network equipment;
3. Reconfigure DNS servers to exclude their further compromise in DDoS attacks.