Overload Denial of Service attack

[Kevin Darcy]

named shouldn't core just because it gets hit with a lot of traffic. The 
worst that should happen is that it responds slowly to the queries and 
the clients start timing out. Are you sure the crash was volume-related? 
How do you know that? If it is in fact volume-related, are you sure it 
wasn't your OS (that you didn't specify) that killed the process because 
it hit some sort of per-process quota (cpu, memory usage)?

According to the config below, you have no views and no restrictions on 
recursion. Were these incoming queries being handled *recursively*? That 
raises security concerns, of course, but putting those concern aside for 
the moment, from a performance standpoint you can limit this using 
"recursive-clients".

For TCP requests, you have some control in the form of the "tcp-clients" 
and "tcp-listen-queue" settings.

But for plain old UDP queries being answered out of authoritative data, 
I don't know of any way to rate-limit that. This is the most lightweight 
kind of query to answer, though, it seems hard to believe that that's 
what swamped your box, unless it's severely underpowered.

- Kevin


The Doctor wrote:
> We have a real one.
>
> Running the RC, it got overloaded with so many
> requests that in essence named dies.
>
> I tried to do a gdb but the gdb seg faulted.
>
> How can I prevent overload, i.e. regulating the number of
> requests on DNS from outside the LAN?
>
> Here is a snippnet of the named.conf :
>
> //Use with the following in named.conf, adjusting the allow list as needed:
> key "rndc-key" {
>       algorithm hmac-md5;
>       secret "7ZbGK94NdSa2WACxx72W1w==";
> };
>
> controls {
>       inet 127.0.0.1 port 953
>               allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
>
>
>
> // generated by named-bootconf.pl
>
> options {
>         directory "/etc/namedb";
>         pid-file "/var/run/named.pid";
>         dump-file "/etc/named/named.dump";
>         max-ncache-ttl 86400;
>         zone-statistics yes;
>         allow-transfer {
>                         <backups>
>                         };
>         allow-notify {
>                         <backups>
>                         };
>         also-notify {
>                         <backups on port 53>
>                         };
>         /*
>          * If there is a firewall between you and nameservers you want
>          * to talk to, you might need to uncomment the query-source
>          * directive below.  Previous versions of BIND always asked
>          * questions using port 53, but BIND 8.1 uses an unprivileged
>          * port by default.
>          */                             
> 	          query-source address * port 53;
>          version "no";
>          listen-on {primary dns; localhost; };
>          rrset-order {
>                 class ANY type ANY name "*" order fixed;
>          };
>
> };        
>
> I would love to kick these DoSSer in the repos so they cannot reproduce.
>
> I wonder if my named and its core would be helpful.
>
>