Avoiding being used as DDoS reflector.
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Mon Jan 19 20:53:20 UTC 2009
At Mon, 19 Jan 2009 16:40:28 +1100,
Nathan Ollerenshaw <chrome at stupendous.net> wrote:
> I have an Authoritative BIND server. It is configured to only allow
> recursive queries from localhost, with recursion disabled for any
> remote clients.
[snip]
> The ideal solution for me, would be a bind configuration option that
> could rate limit responses based on type; so you could specify that a
> "REFUSED" reply will only be sent to a given host once per hour, or
> something like that.
Rate-limiting REFUSED responses doesn't make much sense in this
context, because the response messages are not (that) amplified in
packet size. Even if you rate-limited REFUSED responses, the attacker
could exploit other attack vectors. Especially in your case where the
server also acts as an authoritative server, the attacker would just
send a valid non-recursive query for a name in the authoritative zone
with a forged address.
IMO, it's not worth considering a counter measure for a non-amplifying
DoS attacks, especially if it can make the implementation complicated.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list