DNS queries limitation by host ?
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Tue Aug 24 15:07:29 UTC 2004
Ladislav Vobr <lvobr at ies.etisalat.ae> wrote:
>> However, there are more sophisticated DNS (D)DoS attacks possible,
>> including:
>> 1. Querying a wide range of long-TTL names with the aim of filling up
>> the cache with junk, or
>> 2. Querying names which are known to have unreachable nameservers,
>> broken delegations, or other forms of DNS nastiness, with the aim of
>> busying out the victim resolver with retries, error recovery, logging, etc.
>>
>> These kinds of (D)DoS attacks might give more "bang for the buck" per
>> query and thus allow the attack to succeed even as it flies under the
>> radar of a router-based rate-limiting scheme. It might be impossible in
>> some scenarios (because the routers don't have access to the resolver's
>> state information) or at the very least cost-prohibitive, to put code in
>> the routers to foil such attacks and therefore might be better to put it
>> in the resolver code.
> it is not so difficult to get bind amplify 1 udp packet hundred, two
> hundred times, and it is done so quietly that nobody (administrators)
> have a clue about it, no logs, no warnings. It is bind internal design.
> I did simple test with some unreachable nameservers, for 1 request bind
> sent 125 outgoing requests.
> This kind of flooding is daily routine for many authoritative servers,
> since their brothers :-) high rate recursive bind servers (who don't
> cache timeouts, don't cache servfail, don't slow down with the time, and
> don't provide all, what they cache,) send out 10,20, 100 ... times
> amplified requests to the authoritative servers. Definitely there is
> some misconfiguration in place but usually on the authoritative server
> side (zone expired, misconfiguration, servfail, reachibility...), but
> not on the recursive server side. What happens, providers blocks the
> source of such floods, which are recursive bind nameservers, configured
> as per the best recommendations, basically doing what bind developers
> think is perfectly fine to do.
> We have got blocked several times, because of excessive traffic from our
> recursive bind servers to remote authoritative servers, what can we do
> about it, when bind itself doesn't bother even to log unreachable
> servers or the recursive queue details.
> Does anybody know how to configure the firewall so it will not let the
> random user to fill-up recursive-client queue or how to configure the
> firewall so it will not let bind to flood random misconfigured
> destination with it's full bandwidth and still provide the service to
> the rest of users.
Use access-lists on recursive servers ( only allow your own hosts ),
have no-recursion on your auhorative servers. Is that what you mean ?
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list