Overload Denial of Service attack
Kevin Darcy
kcd at chrysler.com
Thu Oct 11 22:14:45 UTC 2007
named shouldn't core just because it gets hit with a lot of traffic. The
worst that should happen is that it responds slowly to the queries and
the clients start timing out. Are you sure the crash was volume-related?
How do you know that? If it is in fact volume-related, are you sure it
wasn't your OS (that you didn't specify) that killed the process because
it hit some sort of per-process quota (cpu, memory usage)?
According to the config below, you have no views and no restrictions on
recursion. Were these incoming queries being handled *recursively*? That
raises security concerns, of course, but putting those concern aside for
the moment, from a performance standpoint you can limit this using
"recursive-clients".
For TCP requests, you have some control in the form of the "tcp-clients"
and "tcp-listen-queue" settings.
But for plain old UDP queries being answered out of authoritative data,
I don't know of any way to rate-limit that. This is the most lightweight
kind of query to answer, though, it seems hard to believe that that's
what swamped your box, unless it's severely underpowered.
- Kevin
The Doctor wrote:
> We have a real one.
>
> Running the RC, it got overloaded with so many
> requests that in essence named dies.
>
> I tried to do a gdb but the gdb seg faulted.
>
> How can I prevent overload, i.e. regulating the number of
> requests on DNS from outside the LAN?
>
> Here is a snippnet of the named.conf :
>
> //Use with the following in named.conf, adjusting the allow list as needed:
> key "rndc-key" {
> algorithm hmac-md5;
> secret "7ZbGK94NdSa2WACxx72W1w==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
>
>
>
> // generated by named-bootconf.pl
>
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named.pid";
> dump-file "/etc/named/named.dump";
> max-ncache-ttl 86400;
> zone-statistics yes;
> allow-transfer {
> <backups>
> };
> allow-notify {
> <backups>
> };
> also-notify {
> <backups on port 53>
> };
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> query-source address * port 53;
> version "no";
> listen-on {primary dns; localhost; };
> rrset-order {
> class ANY type ANY name "*" order fixed;
> };
>
> };
>
> I would love to kick these DoSSer in the repos so they cannot reproduce.
>
> I wonder if my named and its core would be helpful.
>
>
More information about the bind-users
mailing list