1. 対策
Contents
1.1. NETSCOUT
How to Mitigate and Prevent a DNS NXDOMAIN Flood DDoS Attack
Conducting regular DNS audits is crucial for mitigating such attacks.
Monitoring DNS servers and traffic, can deter malicious attacks against the network.
Additional steps include: (一見対策に見えるが、どうなのか。-- ToshinoriMaeno 2023-05-12 07:41:55)
Automatically blackhole suspect domains and servers
Implement DNS Response Rate Limiting
Examine the behavior of a client.
If a client generates a high rate of NXDOMAIN, NXRRset, or SRVFAIL responses,
block requests from that client’s IP address for a configurable period of time.
Be sure that cache refresh takes place, ensuring continuous service
Lower the timeout for recursive name lookup to free up resources in the DNS resolver,
thus preventing simultaneous outstanding DNS queries from maxing out
Increase the TTL on existing records as this will ensure records are kept longer
in external DNS caches, making it less likely that those records will have to be updated
Apply rate limiting on traffic to overwhelmed servers
1.2. HC3: Sector Alert
Mitigations and Recommended Actions
HC3 encourages organizations to remain cautious when blocking IPs, because this could result in legitimate users being prevented from accessing public services. According to NETSCOUT, there are several mitigations available for DNS NXDOMAIN Flood DDoS Attacks:
• Blackhole routing/filtering suspected domains and servers • Implement DNS Response Rate Limiting • Block requests from the client’s IP address for a configurable period of time • Be sure that cache refresh takes place, ensuring continuous service • Lower the timeout for recursive name lookup to free up resources in the DNS resolver • Increase the time-to-live (TTL) on existing records • Apply rate limiting on traffic to overwhelmed servers