Dropping external recursive requests

Mark Andrews Mark_Andrews at isc.org
Thu Dec 4 02:15:10 UTC 2008 

In message <535d31e1-08e9-4e3c-aa94-f127f2ae4220 at 41g2000yqf.googlegroups.com>, 
john at feith.com writes:
> On Dec 3, 6:26 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> > If it is a forged packet it should be dropped regardless of the setting
> > of RD.
> 
> True, however not something that's easily determined from a distance.
> 
> Ideally ingress filtering would render this a non-issue, however
> there obviously holes in the current filtering done by ISPs.
> 
> > If the only reason to think the packet is forged is the setting
> > of RD=1 then the OP has committed a reasoning error.
> 
> The situation that we've encountered on a couple of occasions
> is a steady stream (several a second) of the exact same query
> with the same source address for several days.  When we contact
> the owner of the source address, they state they're under DDoS
> attack and are not the source of the request.  Part of the attack
> they experience is the Refused response from our DNS server.

	And you are also under attack so dropping in *that* case
	is acceptable.  You have identified that dropping recursive
	queries from *that* source will cause no harm.

	You configuration has already mitigated a large proportion
	of the damage by not amplifying the traffic.  Dropping rd=1
	packets won't stop reflector attacks.

	If you are running a authoritative server you are a potential
	reflector and there is nothing you can do to prevent it being
	abused.

> > Also rd being set my just be the result of someone testing with
> > a tool which sets rd by default.
> 
> In which case they can change the setting.

	And how are they to realise that without a reply?

	I'm getting no response so maybe I need to disable recursion
	is not part of the standard diagnotic steps.  Read the list
	and see how many times we tell people to disable recursion
	when testing a delegation and that with replies.

> Which is worst ... occasionally dropping a request from someone
> using a misconfigured tool / server, or participating in a larger
> DDoS attack?
>
> Granted that dropping external requests with RD=1 doesn't
> eliminate the potiental for DDoS attacks, it just changes it.
>
> > One needs to be really, really careful here.
> 
> Understood ... and I realize that things shouldn't be oversimplified
> (i.e. by assuming RD=1 must mean an evil request).  Part of the
> purpose for this post is to start a discussion on the pros / cons.

	That discussion has been done to death elsewhere.
 
> -- John
> john at feith.com
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list