DNS Flood -- Help!
ewheeler at kaico.com
ewheeler at kaico.com
Tue Jan 8 18:04:07 UTC 2002
To whoever can help:
We run a DNS server of a colocated facility with 90Mb/s capable
throughput. We have recently been attacked by queries from the 'DNS
Abuser' exploit written some time ago
(http://www.securitybugware.org/mUNIXes/4198.html).
Since we are DNS masters for many domains, we have to respond to DNS
quereies from anywhere and can not limit the service to some range of
source addresses.
#1. Is there a way to make bind respond to only queries requesting
information about the zones which it is authoritative for, dropping the
rest?
#2. To make the problem more complicated, there are also hosts which use
our server as their primary dns. This being said, I need to explicitly
allow a set of source addresses to querey the server in any way they
choose, while conforming to #1 for all other queries.
If #2 is not possible, a fix for #1 is imperative. I have to keep
dropping these floods as they come about based on their source address
(which are spoofed, as best I can tell) -- Under flooding circumstances,
the server pushes at 4.5Mbit/s; we have a 45GB quota per month. Under a
flood, we will use the entire quota in about 30 hours.
Any input would be much appreciated.
Thank you.
--
Eric Wheeler
Network Administrator
KAICO
20417 SW 70th Ave.
Tualatin, OR 97062
www.kaico.com
Voice: 503.692.5268
More information about the bind-users
mailing list