May 8, 2013
REN-ISAC ALERT: Prevent your institution from being an unwitting
partner in denial of service attacks
The REN-ISAC  wants to raise awareness and drive change
concerning common network and domain name system (DNS)
configurations that fall short of accepted best practice and which,
if left unchecked, open the door for your institution to be
exploited as an unwitting partner to crippling denial of service
attacks against third parties.
CIOs, please note important, specific recommended ACTIONS included
Although attacks exploiting the network and DNS configuration
weaknesses have been around for a long time, the frequency and
impact of attacks have grown over the past year. These attacks may
exploit thousands of institutional DNS servers to create an
avalanche of network traffic aimed at a third-party victim. The
traffic sourced by any single institutional system may be small
enough to go unnoticed at the institution; however, the aggregate
experienced at the target can be crippling. A recent attack 
generated over 300 gigabits per second of traffic aimed at the
victim organization. To put that in context, most universities and
organizations connect to the Internet at 1 Gbps or less. In this
incident not only was the intended victim crippled, Internet
service providers and security service providers attempting to
mitigate the attack were adversely affected.
Given history and the success of recent attacks, we expect that
attacks will rise in frequency and magnitude in the months ahead.
The network configuration issue concerns the ability for a machine
on your network to send packets marked with a source IP address
that doesn't belong to you ("spoofed") to outside your network. The
DNS issue concerns a configuration that allows outsiders to exploit
your DNS servers to send high volumes of traffic at arbitrary
The higher education and research community needs to do its part to
ensure that we are not helping to facilitate these attacks. The
REN-ISAC recommends the following actions:
=== ACTIONS ===
1. Distribute a copy of this message to your network
administrators, information security staff, DNS administrators, and
other relevant personnel.
2. Ensure your institutional network(s) are unable to originate
Internet traffic with spoofed source addresses.
3. Do not permit any DNS server on your networks to answer queries
from the public Internet, with the exception of the institution's
authoritative servers, which should only answer queries about data
they are authoritative for.
4. Investigate rate limiting for your authoritative DNS servers.
Rate limiting becomes even more important for DNSSEC-enabled zones.
We're sharing a version of this letter, with additional technical
depth and recommendations, to campus security officers, network
administrators, and DNS administrators. This note and related
technical notes are available at the REN-ISAC web site, and have
been sent directly to REN-ISAC members and to the public EDUCAUSE
Security and CIO mailing lists. PDF version of the Alerts are
available at the web site.
We'd appreciate your input on additional means to protect from this
threat, and general feedback concerning the Alert.
If you have any questions, please don't hesitate to e-mail us at
[log in to unmask]
Special thanks go to the members of the REN-ISAC Technical Advisory
Group  for their work on this Alert.
On behalf of the REN-ISAC team,
[log in to unmask]
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)278-6630
 Firm Is Accused of Sending Spam, and Fight Jams Internet
 REN-ISAC Technical Advisory Group
US-CERT Alert (TA13-088A) DNS Amplification Attacks
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.