Millions of './ANY/IN' queries denied
Andrew P.
andrewemt at hotmail.com
Thu Dec 16 13:56:31 UTC 2021
Reindl Harald <h.reindl at thelounge.net> writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
>> You don't understand what kind of blacklist I want; I want to blacklist the domain name
>> being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses
>> of requestors (since we all know criminals don't use their own identities; they use the
>> identities of innocent bystanders).
>>
>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.
>
>AGAIN: you don't gain anything by not responding on a UDP protocol
>because the client can't distinct no response and packet loss
AGAIN, the criminal DDoS attacker who's creating these forged requests isn't looking for replies to themselves; they're looking to abuse some poor victim. And the victim can't make the attacker shut up.
>so you *increase* the load by retries on the client
No, the attacker is going to send their packets as often as they feel like it regardless of whether I answer, and they won't know if the load on the victim is sufficient to crush them (or if I am participating), since the attacker isn't receiving the attack. They won't speed up on me just because I refuse to participate in their ugly little games because they won't know I'm not playing along (at least until they decide to attack _me_ instead of someone else).
>don't get me wrong but you need to understand the implications of what
>you are doing - for DOS attacks "Response Rate Limiting" was invented
>and for non-DOS requests there isn't any valid reason to take action
Please tell me what non-DOS requests would be asking _my_ name server to dump the root domain. I'm not running a caching-only public nameserver (such as an ISP might run for their customers), so _no_ _one_ should be asking my nameserver for the entire root domain. Even webcrawlers don't need to harrass non-root-nameservers for root domain information.
Note I haven't done anything yet; I'm asking if there _is_ a way to do it presently implemented in Bind.
More information about the bind-users
mailing list