Blocking DoS on Bind9
Kevin Darcy
kcd at daimlerchrysler.com
Thu Aug 23 02:52:54 UTC 2007
The Doctor wrote:
> Just wondering what methods can be use to stop DoS attcks
> such as half-open connection overload on port 53 using named.conf ?
>
Neither BIND nor any purely user-space app can really prevent "half-open
connection overload"s (are you trying to describe SYN flooding?), since
they don't even see the incoming connection until and unless it's fully
established.
You'd need something with deeper hooks into the TCP/IP stack, or a
separate device, in order to prevent those.
It should be noted that most normal DNS traffic uses UDP not TCP. Unless
you're serving up a lot of huge RRsets that necessitate TCP retries, it
should be fairly easy to set, within your Intrusion Prevention device or
firewall, a reasonable threshold on SYN packets incoming to port 53. You
might want to make exceptions, of course, for slaves that use the
standard AXFR/IXFR-based method for replication of zone data, since that
uses TCP as well (IXFR can use UDP, but will fail over to AXFR under
certain circumstances, that's why I lump them together).
- Kevin
More information about the bind-users
mailing list