Bind stats - denied queries?
Reindl Harald
h.reindl at thelounge.net
Mon Nov 30 21:44:48 UTC 2020
Am 30.11.20 um 20:01 schrieb Marc Roos
> You assume incorrectly that every such log entry is from spoofed
> traffic.
every relevant one, yes
> This is about correct logging. Even if it is spoofed, logging the
> correct spoofed address is better than logging a range (that include
> ip's that are maybe not even participating)
there is nothing like "not even participating" in a /24 in case of
reflection
> There is only, but only one advantage I can think of, and that is
> grouping to one log entry.
no, it logs what it does: responses to that /24 are rate-limited because
otherwise you won't be able to reduce the impact
you still refuse to understand wo is attacker and who is victim! *you
are* the attacker sending responses larger then the request to the
forged sources
you are *not* target, you are part of the attack und you have no way to
do anything against that on a UDP protocol except rate-limit your
responses because you have no way to find out the real source
> -----Original Message-----
> Subject: Re: Bind stats - denied queries?
>
> the source of dns amplification is *always* spoofed because it's by
> design the IP of the victim and not the offender
>
> the goal of dns amplification is to flood the connection of the victim
> until no regular traffic is possible
>
> the same /24 is sharing the same line and so it doesn't make sense in
> that context talk about single ip's at all
>
> it also doesn't make sense to write abuse reports for such things
> because additionally to the technical packet flood you also flood human
> ressources with nosense there
>
> they aren't the offender, they can't do anything about your issue
> because the are *the victim*
>
> you are one of thousands or even millions of hosts the attacker is
> trying to get responses from to the victim
>
> please try to understand
> https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
> and RRL is only useful for that type of attack, everything else don't
> matter for a DNS server and more important you can't distinct it anyways
>
> Am 30.11.20 um 18:23 schrieb Marc Roos:
>> Regardless if the source is spoofed or not, one should log it.
>> Especially with this amazon abuse cloud, how can you report abuse,
>> they want to have an ip address to be able to investigate if something
>
>> originated from their network.
>>
>> If you log 0/24 you might as well log no range at all.
>>
>> Am 30.11.20 um 11:12 schrieb Marc Roos:
>>> Are newer version of bind still logging like this
>>>
>>> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses
>>> to
>>> 3.9.41.0/24
>>> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses
>>> to
>>> 35.177.154.0/24
>>> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses
>>> to
>>> 35.177.154.0/24
>>> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses
>>> to
>>> 3.9.41.0/24
>>>
>>> I already reported, that it is not to smart to log 3.9.41.0/24,
>>> better
>>
>>> could be logged 3.9.41.100/24 so you know the offending ip
>>
>> there is nothing like an "offending ip" in case of dns-amplification
>> which is usually what happens in context of RRL
>>
>> it's the forged destination of the attack you see and nothing else
More information about the bind-users
mailing list