solutions to prevent DNS DoS attack

[Simon Waters]

Yige Zhu wrote:
> 
> 1. set filters at the firewall before the DNS server and set policies
> to only allow source address belonging to the address of ISP, just the
> DNS server can olny resolve the ISP's request.

I assume this is a caching only server from your description!?

If the DoS is caused by the server being too busy CPUwise with
queries then this would work, or you could restrict recursion to
the ISPs addresses in the named.conf file.

This of course assumes you filter spoofed packets "apparently
from" your own address ranges at the edges of your network.

Some ISP's leave their DNS servers open so that clients don't
have to change DNS settings when they have gone elsewhere, if
you want to offer this then your kind of stuck with rate
limiting DNS packets from elsewhere on the Internet. Rate
limiting by destination port is done in some routers and some
firewalls.

Whether you firewall the addresses, or just block them on the
server in named.conf, it isn't a big task for modern network
equipment ASIC or not. Certainly it takes less CPU for named to
ignore a recursive query, so if the firewall is already busy
just change named.conf.

Of course if the DoS is caused by inbound traffic filling the
bandwidth up you'll need to filter further out, or speak with
peering and transit providers.

-- 
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework