Bind vs flood

Sten Carlsen stenc at s-carlsen.dk
Thu Feb 27 15:52:45 UTC 2014 

Doesn't this look like a DDOS attack on the spoofed origin of the queries?


On 27/02/14 16:18, Ben Croswell wrote:
> I guess I am missing why anyone on the internet should be able to open
> queries against your caching resolver. 
> 
> Why would in bound queries be allowed to servers that are for your
> people to get out?
> 
> On Feb 27, 2014 10:13 AM, "Ivo" <ivo at nic.lv <mailto:ivo at nic.lv>> wrote:
> 
>     Hi Dmitry,
> 
>     We observed that similar requests are landing on our cache resolver
>     mostly from various home routers running dns server as open resolver
>     and that also masquerades the original request source.
>     We have a collection of ~60 domains involved and most of them are
>     related to China. The problem is that attacker selects few domains
>     and generates queries with random hostnames which therefore are not
>     in the cache and server has to perform recursion for each query. So
>     each query will consume one udp or tcp socket for at least 10
>     seconds because remote DNS server is responding slowly or is down
>     and based on a query volume it can effectively overload the cache
>     server.
> 
>     Initially we thought we could fix it with " resolver-query-timeout",
>     but after bind code analysis it seems that everything less that 10
>     seconds would be ignored, it would be great to mention this in the
>     documentation.
>     So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
>     recompile named, but  it would be nice to understand why 10 seconds
>     as minimum value were selected in the first place, see
>     /lib/dns/resolver.c
> 
>     #define MAX_SINGLE_QUERY_TIMEOUT 9U
>     #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) 
> 
>     ....snip....
> 
>     void
>     dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int
>     seconds) {
>             REQUIRE(VALID_RESOLVER(resolver));
>             if (seconds == 0)
>                     seconds = DEFAULT_QUERY_TIMEOUT;
>             if (seconds > MAXIMUM_QUERY_TIMEOUT)
>                     seconds = MAXIMUM_QUERY_TIMEOUT;
>             if (seconds < MINIMUM_QUERY_TIMEOUT)
>                     seconds =  MINIMUM_QUERY_TIMEOUT;
>             resolver->query_timeout = seconds;
>     }
> 
>     We also tried to create local dummy zones for all these domains but
>     since domains change frequently we started to block most active open
>     resolvers and coordinate with local CERT.
> 
>     It would be nice to have some kind of rate limits for query volume
>     of different hosts inside a single zone.
> 
>     Best regards,
> 
>     Ivo
> 
> 
>     On 2/27/14 7:59 AM, Dmitry Rybin wrote:
>>     Over 2 weeks ago begins flood. A lot of queries:
>>
>>     niqcs.www.84822258.com <http://niqcs.www.84822258.com>
>>     vbhea.www.84822258.com <http://vbhea.www.84822258.com>
>>     abpqeftuijklm.www.84822258.com
>>     <http://abpqeftuijklm.www.84822258.com>
>>     adcbefmzidmx.www.84822258.com <http://adcbefmzidmx.www.84822258.com>
>>     and many others.
>>
>>     Bind answers with "Server failure". On high load (4 qps) all
>>     normal client can get Servfail on good query. Or query can execute
>>     more 2-3 second.
>>
>>     Recursion clients via "rnds status" 300-500.
>>
>>     I can try to use rate limit:
>>             rate-limit {
>>                     nxdomains-per-second 10;
>>                     errors-per-second 10;
>>                     nodata-per-second 10;
>>             };
>>     I do not see an any improvement.
>>
>>     Found one exit in this situation, add flood zones local.
>>
>>     What can we do in this situation?
>>     _______________________________________________
>>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>     unsubscribe from this list
>>
>>     bind-users mailing list
>>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>>     https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
>     _______________________________________________
>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
> 
>     bind-users mailing list
>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list