Avoiding being used as DDoS reflector.

[John Wobus]

On Jan 19, 2009, at 5:02 AM, Leonardo Rodrigues Magalhães wrote:

>
>
> Nathan Ollerenshaw escreveu:
>>
>> I have an Authoritative BIND server. It is configured to only allow 
>> recursive queries from localhost, with recursion disabled for any 
>> remote clients.
>>
>> If you attempt to perform a recursive query against this server, it 
>> will respond with a "query refused" packet, as this is what BIND does 
>> if you try to recursively query a server configured to disallow 
>> recursive queries.
>> [ ........ ]
>> Any ideas? Anyone facing this same problem found a solution? I'd be 
>> glad to hear it :)
>>
>
>    if you're running authoritative only for localhost and is not 
> answering network requests at all, then you could probably firewall 
> incoming packets to UDP 53 port !!! Let the responses in, let the new 
> requests out.
>
>    i cant imagine anything simplier than that.

If you need 53 to answer for authoritative zones, you could run two 
bind instances, one for your caching server,
the other for the authoritative data.  Then a firewall or instance-wide 
black-hole config would take care of it.
Not too inspired a solution, but it's all I can think of.

I fear that what you are seeing is difficult to handle, thus may well 
become only more popular as time passes,
especially if it really does cause trouble for the victim. If the 
traffic is negligible for you, then does it really
hurt the victim?  How would they be harmed?  Is the victim someone who 
queries your authoritative
server enough to get some confusing "hits" of matching port, ID, and 
server of outstanding queries?  Even if you
block recursive error returns, would an attack using valid 
authoritative answers be equally harmful to the victim?

John