DNS Flood -- Help!
Mark Damrose
mdamrose at elgin.cc.il.us
Tue Jan 8 20:22:10 UTC 2002
<ewheeler at kaico.com> wrote in message news:a1fci7$kme at pub3.rc.vix.com...
>
>
> To whoever can help:
>
> We run a DNS server of a colocated facility with 90Mb/s capable
> throughput. We have recently been attacked by queries from the 'DNS
> Abuser' exploit written some time ago
> (http://www.securitybugware.org/mUNIXes/4198.html).
>
> Since we are DNS masters for many domains, we have to respond to DNS
> quereies from anywhere and can not limit the service to some range of
> source addresses.
>
> #1. Is there a way to make bind respond to only queries requesting
> information about the zones which it is authoritative for, dropping the
> rest?
options {
allow-query { none; };
recursion no;
};
in each zone you are authoritive for:
zone "example.com" in {
allow-query { any; };
};
>
> #2. To make the problem more complicated, there are also hosts which use
> our server as their primary dns. This being said, I need to explicitly
> allow a set of source addresses to querey the server in any way they
> choose, while conforming to #1 for all other queries.
I would recommend a seperate server for this, but this should do the trick
as long as the IPs of your clients aren't spoofed.
acl clients { 1.2.3.4; 2.3.4.5; 3.4.5/24; 127.0.0.1; };
options {
allow-query { clients; };
recursion yes;
allow-recursion { clients; };
};
zone "example.com" in {
allow-query { any; };
};
>
> If #2 is not possible, a fix for #1 is imperative. I have to keep
> dropping these floods as they come about based on their source address
> (which are spoofed, as best I can tell) -- Under flooding circumstances,
> the server pushes at 4.5Mbit/s; we have a 45GB quota per month. Under a
> flood, we will use the entire quota in about 30 hours.
>
>
> Any input would be much appreciated.
> Thank you.
>
> --
>
> Eric Wheeler
> Network Administrator
> KAICO
> 20417 SW 70th Ave.
> Tualatin, OR 97062
> www.kaico.com
> Voice: 503.692.5268
>
>
>
>
>
More information about the bind-users
mailing list