DNS queries limitation by host ?

Ladislav Vobr lvobr at ies.etisalat.ae
Tue Aug 24 07:35:45 UTC 2004 

> However, there are more sophisticated DNS (D)DoS attacks possible, 
> including:
> 1. Querying a wide range of long-TTL names with the aim of filling up 
> the cache with junk, or
> 2. Querying names which are known to have unreachable nameservers, 
> broken delegations, or other forms of DNS nastiness, with the aim of 
> busying out the victim resolver with retries, error recovery, logging, etc.
> 
> These kinds of (D)DoS attacks might give more "bang for the buck" per 
> query and thus allow the attack to succeed even as it flies under the 
> radar of a router-based rate-limiting scheme. It might be impossible in 
> some scenarios (because the routers don't have access to the resolver's 
> state information) or at the very least cost-prohibitive, to put code in 
> the routers to foil such attacks and therefore might be better to put it 
> in the resolver code.

it is not so difficult to get bind amplify 1 udp packet hundred, two 
hundred times, and it is done so quietly that nobody (administrators) 
have a clue about it, no logs, no warnings. It is bind internal design. 
I did simple test with some unreachable nameservers, for 1 request bind 
sent 125 outgoing requests.

This kind of flooding is daily routine for many authoritative servers, 
since their brothers :-) high rate recursive bind servers (who don't 
cache timeouts, don't cache servfail, don't slow down with the time, and 
don't provide all, what they cache,) send out 10,20, 100 ... times 
amplified requests to the authoritative servers. Definitely there is 
some misconfiguration in place but usually on the authoritative server 
side (zone expired, misconfiguration, servfail, reachibility...), but 
not on the recursive server side. What happens, providers blocks the 
source of such floods, which are recursive bind nameservers, configured 
as per the best recommendations, basically doing what bind developers 
think is perfectly fine to do.

We have got blocked several times, because of excessive traffic from our 
recursive bind servers to remote authoritative servers, what can we do 
about it, when bind itself doesn't bother even to log unreachable 
servers or the recursive queue details.

Does anybody know how to configure the firewall so it will not let the 
random user to fill-up recursive-client queue or how to configure the 
firewall so it will not let bind to flood random misconfigured 
destination with it's full bandwidth and still provide the service to 
the rest of users.

Misconfiguration, reachibility issue, zone expired these are daily 
problems, they are not specially crafted hacker's packets, I don't know 
about similar application, which will face daily problems with such a 
incredible amount it's own and remote side resources and without any 
warning (on the caching server side).

Ladislav

More information about the bind-users mailing list