Preventing a particular type of nameserver abuse

Peter Coghlan bind at beyondthepale.ie
Wed Apr 14 16:46:40 UTC 2021 

Tony Finch wrote:
> Peter Coghlan <bind at beyondthepale.ie> wrote:
> >
> > I have a nameserver which is authoritative for three or four domain names.
> > It receives around 1000 queries per day that could be regarded as plausably
> > legitimate.  It receives around ten times that number of absive queries per
> > day from presumably spoofed ip addresses, the vast majority of them IN ANY
> > queries for the "sl" domain or for the root nameservers all of which my
> > nameserver responds to with return code 5 ie refused.
> 
> There have been several helpful replies, but to be honest I wouldn't spend
> too much effort on low levels of abuse unless you want to use it as a
> learning exercise. (I would care if it was multiple abusive queries per
> second...)
>

I think a learning exercise would be very useful as there seems to be very
little awareness of this issue and I found it very difficult to find any
discussion or analysis of it anywhere.  From the replies to my posting here,
it seems apparant that my nameserver is definately not the only one which is
experiencing this abuse.

I am seeing abusive query rates of 5 per second for sustained periods of the
day.  As far as I can see this is specially designed to get in under the
widely suggested "errors-per-second 5" rate limiting.

>
>> I have tried "errors-per-second 1" and this seems to reduce the abuse
>> by about four fifths but one fifth of it still manages to get through
>> and I don't find this acceptable.
>
> RRL is designed to avoid interfering with legitimate traffic, but that
> does mean that some abuse traffic leaks through. Its aim is to stop
> amplification, so that the attackers don't get any benefit from abusing
> your server.
>

Sure but something is clearly benefitting from the abuse because it is
going on day in, day out for months now and it it is apparantly happening
on servers other than mine too.

Also, my nameserver doesn't receive any legitimate traffic at all which my
nameserver replies to with "refused" responses.

>
> But it sounds to me like your problem traffic is more like background
> radiation (e.g. probes) than active abuse; if so it's likely that RRL will
> not deter them.
>

I wouldn't describe it as background radiation or probes.  It doesn't seem
to be caused by misconfigured or faulty resolvers or anything of that nature.
Exactly the same queries (including the same source port and query id) are
repeated over and over again whether a "refused" reply is provided or not.
It seems pretty clearly abusive to me even if the exact purpose of the abuse
is not so obvious yet.

>
>> Instead, when I notice particularly heavy abuse of my nameserver,
>> I apply packet filtering to prevent the abusive queries from reaching
>> my nameserver and therefore to prevent it responding to them.
>
> If all the problem traffic is sl. IN ANY, then I suggest permanently
> leaving in place a filter to drop those queries. Use a string match rule,
> like Grant Taylor suggested, but match the queries instead of the
> responses, so they don't clutter your query logs.
>

>From what I can see, roughly half of the problem traffic is sl/IN/ANY and the
other half is ./IN/ANY.  Some of the problem traffic has source ports less
than 1024 and some doesn't. ([tos 0x8] is often thrown in for good measure
too. I wonder what that's about?)

It is possible for me to apply filtering that catches most or maybe all of
this but this only fixes the problem on my server and does nothing to prevent
the abuse of lots of other servers out there.

Besides, I'm not really that concerned about the effect on my nameserver, I am
more concerned about the effect of the abusive traffic being reflected by
my nameserver and various other nameservers onto innocent third parties
with little or no awareness that this is happening.

Also, I don't believe a sufficiently portable filtering mechanism exists
which can be deployed across all the platforms that bind can be deployed
on.

Even if everybody could start filtering queries for "sl" and the root
nameservers, what's to stop the abusers moving on to using a different
domain name when they discover this filtering being applied?

Instead, isn't it the case that bind knows what domains it is authoritative
for (or which ones it is supposed to be authoritative for) and bind is
therefore in the ideal position to know which queries are abusive and which
are not rather than wrapping kludgy filtering mechanisms around it?

If there is a resistance to having bind ignore the abusive queries
altogether, could we at least have something like "errors-per-minute 1"
which would reduce the problem by a factor of 60 compared with
"errors-per-second 1"?  "errors-per-hour 1" would be even better still :-)

Regards,
Peter Coghlan.

>
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Southwest Shannon: Southeasterly 4 or 5 increasing 6. Moderate
> becoming rough. Fair. Good.
>

More information about the bind-users mailing list