DrDoS Amplification Testing

DrDoS aka distributed reflective denial-of-service

open DNS resolver

  dig ANY amiopen.openresolvers.org @x.x.x.x

Where x.x.x.x is the IP of an suspected open DNS resolver.

Checking a local host directly

*nix systems
dig +short amiopen.openresolvers.org TXT

Windows systems
nslookup
   > set type=TXT
   > amiopen.openresolvers.org

Ideal results will be: 
"Your resolver at ip.add.re.ss is CLOSED"

 

If your return comes back with results you are subject to being a DNS DDoS Amplification source.

We also recommend http://openresolverproject.org/

 

 NTP

  ntpdc -c monlist [hostname]

If you return any output you are subject to being a NTP DDoS Amplification source.

 

CHARGEN

Any device using CHARGEN is subject to being a CHARGEN DDoS Amplification source.

 

SNMP

Some of the first DrDoS attacks ever seen in 2007/2008 came from SNMP due the the ability to amplify attacks so heavily (up to 650x). Because of this most SNMP server have the ability to limit what ip can access SNMP. Furthermore it is consider best practice to keep snmp within your local network. As well, beyond limiting the snmp service to what ip can access is directly, create network rules blocking anything addition ips

Have more questions? Submit a request

0 Comments

Article is closed for comments.