Overload Denial of Service attack
The Doctor
doctor at doctor.nl2k.ab.ca
Fri Oct 12 12:33:39 UTC 2007
On Thu, Oct 11, 2007 at 06:14:45PM -0400, Kevin Darcy wrote:
> named shouldn't core just because it gets hit with a lot of traffic. The
> worst that should happen is that it responds slowly to the queries and
> the clients start timing out. Are you sure the crash was volume-related?
> How do you know that? If it is in fact volume-related, are you sure it
> wasn't your OS (that you didn't specify) that killed the process because
> it hit some sort of per-process quota (cpu, memory usage)?
Good questions.
>
> According to the config below, you have no views and no restrictions on
> recursion. Were these incoming queries being handled *recursively*? That
> raises security concerns, of course, but putting those concern aside for
> the moment, from a performance standpoint you can limit this using
> "recursive-clients".
Example please.
>
> For TCP requests, you have some control in the form of the "tcp-clients"
> and "tcp-listen-queue" settings.
Examples please.
>
> But for plain old UDP queries being answered out of authoritative data,
> I don't know of any way to rate-limit that. This is the most lightweight
> kind of query to answer, though, it seems hard to believe that that's
> what swamped your box, unless it's severely underpowered.
BSD/OS 4.3 all patched running 2 Xeon 3.0s and 3GB RAM.
>
> - Kevin
>
>
> The Doctor wrote:
> > We have a real one.
> >
> > Running the RC, it got overloaded with so many
> > requests that in essence named dies.
> >
> > I tried to do a gdb but the gdb seg faulted.
> >
> > How can I prevent overload, i.e. regulating the number of
> > requests on DNS from outside the LAN?
> >
> > Here is a snippnet of the named.conf :
> >
> > //Use with the following in named.conf, adjusting the allow list as needed:
> > key "rndc-key" {
> > algorithm hmac-md5;
> > secret "7ZbGK94NdSa2WACxx72W1w==";
> > };
> >
> > controls {
> > inet 127.0.0.1 port 953
> > allow { 127.0.0.1; } keys { "rndc-key"; };
> > };
> >
> >
> >
> >
> > // generated by named-bootconf.pl
> >
> > options {
> > directory "/etc/namedb";
> > pid-file "/var/run/named.pid";
> > dump-file "/etc/named/named.dump";
> > max-ncache-ttl 86400;
> > zone-statistics yes;
> > allow-transfer {
> > <backups>
> > };
> > allow-notify {
> > <backups>
> > };
> > also-notify {
> > <backups on port 53>
> > };
> > /*
> > * If there is a firewall between you and nameservers you want
> > * to talk to, you might need to uncomment the query-source
> > * directive below. Previous versions of BIND always asked
> > * questions using port 53, but BIND 8.1 uses an unprivileged
> > * port by default.
> > */
> > query-source address * port 53;
> > version "no";
> > listen-on {primary dns; localhost; };
> > rrset-order {
> > class ANY type ANY name "*" order fixed;
> > };
> >
> > };
> >
> > I would love to kick these DoSSer in the repos so they cannot reproduce.
> >
> > I wonder if my named and its core would be helpful.
> >
> >
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
Member - Liberal International
This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God, Queen and country! Beware Anti-Christ rising!
Voting Canadians vote anyone but Harper Cronies!!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list