solutions to prevent DNS DoS attack

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 24 00:03:32 UTC 2002 

Arie wrote:

> On Wed, 2002-01-23 at 10:19, Yige Zhu wrote:
> > hi there,
> >
> > I work for an ISP and recently we suffered malicious DNS DoS attacks
> > and we need to find a way to prevent for the second and third attack
> > in the future. As the UDP nature of DNS and we can not trace the
> > source of the attacker. So firstly, I would ask is there any mature
> > solutions to this kind of attack? Second, I thought of a solution as
> > following and would ask for advice if this solution is feasible.
> >
> > my solution:
> > 1. set filters at the firewall before the DNS server and set policies
> > to only allow source address belonging to the address of ISP, just the
> > DNS server can olny resolve the ISP's request.
> > 2. count the attemps from address out of ISP and monitor the counter
> > to find if there are abrupt increase. If there is an abrupt increase
> > of the counter, there will be potential attack and need to pay
> > attention.
> > 3. set finters on the access router of the ISP and count the DNS
> > require, and monitor the counter just like using MRTG to see if there
> > are any abrupt increase and so can trace partially the source of
> > attacking.
> >
> > the set finters on the access router will sacrifice the performance of
> > the router while the router will have to check every packet of its
> > destination IP address and port number. My question is:
> > 1. does the current router support such a filter and count it?
>
> If you pick a machine with enough memory and CPU, you can use a Linux
> solution.I know that iptables from http://netfilter.samba.org does
> stats. That is a counter.
>
> > 2. how will this filtering affect the performance of the current more
> > advanced routers? can routers sustain such a filter or such a filter
> > is just a piece of cake for the now router as the ASIC chips are
> > quicker and quicker?
>
> I you only catch and count the SYN packets (I think (most) DoS attacks
> have to do with sending SYN packets) on the netfilter box then i guess
> there should be no problem. You could also script some stuff to take
> automated steps.

I think you're confusing TCP and UDP.


- Kevin

More information about the bind-users mailing list