Route 53 DDoS - Tenable Nessus Network Scan claims a vulnerability exists


A security network scan was performed by Tenable Nessus on one of our Route 53 endpoints which points directly to an ALB. The report claims "DNS Server Spoofed Request Amplification DDoS" as high severity. Here's the link to their site for more info:

But as far as I'm aware AWS Shield is automatically applied to Route 53 which should mitigate any DDoS attacks? Has anyone else had to deal with this? Anyone know of a solution?

  • I think we are lacking a bit of the context in order to properly answer the question. When you mean "Route 53 endpoint", are you meaning Route 53 Outbound endpoints? Or just a CNAME record in R53 that points towards a public facing ALB?

1 Answer

The DNS Server Spoofed Request Amplification DDoS vulnerability means that a nameserver will respond to "dig . NS @r53nameserver" with a long (amplified) response. If you try that query against any of our publically accessible authoritative nameservers you will see:

`; <<>> DiG 9 <<>> . NS
 ; (2 servers found)
 ;; global options: +cmd
 ;; connection timed out; no servers could be reached`

So Route53 nameservers are not susceptible to this vulnerability.

You may have seen this finding if the scanner ran within a VPC or on-prem against a Route53 resolver IP. Resolver endpoints are not exposed to the public and are accessible only from the clients that have access to the AWS VPC where the resolvers run and in addition, EC2 instances cannot send spoofed network traffic, so the attack described could not occur. Any such finding against Route53 resolver IPs can be disregarded.

answered 2 months ago
profile picture
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions