DNS queries limitation by host ?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Tue Aug 24 15:07:29 UTC 2004 

Ladislav Vobr <lvobr at ies.etisalat.ae> wrote:

>> However, there are more sophisticated DNS (D)DoS attacks possible, 
>> including:
>> 1. Querying a wide range of long-TTL names with the aim of filling up 
>> the cache with junk, or
>> 2. Querying names which are known to have unreachable nameservers, 
>> broken delegations, or other forms of DNS nastiness, with the aim of 
>> busying out the victim resolver with retries, error recovery, logging, etc.
>> 
>> These kinds of (D)DoS attacks might give more "bang for the buck" per 
>> query and thus allow the attack to succeed even as it flies under the 
>> radar of a router-based rate-limiting scheme. It might be impossible in 
>> some scenarios (because the routers don't have access to the resolver's 
>> state information) or at the very least cost-prohibitive, to put code in 
>> the routers to foil such attacks and therefore might be better to put it 
>> in the resolver code.

> it is not so difficult to get bind amplify 1 udp packet hundred, two 
> hundred times, and it is done so quietly that nobody (administrators) 
> have a clue about it, no logs, no warnings. It is bind internal design. 
> I did simple test with some unreachable nameservers, for 1 request bind 
> sent 125 outgoing requests.

> This kind of flooding is daily routine for many authoritative servers, 
> since their brothers :-) high rate recursive bind servers (who don't 
> cache timeouts, don't cache servfail, don't slow down with the time, and 
> don't provide all, what they cache,) send out 10,20, 100 ... times 
> amplified requests to the authoritative servers. Definitely there is 
> some misconfiguration in place but usually on the authoritative server 
> side (zone expired, misconfiguration, servfail, reachibility...), but 
> not on the recursive server side. What happens, providers blocks the 
> source of such floods, which are recursive bind nameservers, configured 
> as per the best recommendations, basically doing what bind developers 
> think is perfectly fine to do.

> We have got blocked several times, because of excessive traffic from our 
> recursive bind servers to remote authoritative servers, what can we do 
> about it, when bind itself doesn't bother even to log unreachable 
> servers or the recursive queue details.

> Does anybody know how to configure the firewall so it will not let the 
> random user to fill-up recursive-client queue or how to configure the 
> firewall so it will not let bind to flood random misconfigured 
> destination with it's full bandwidth and still provide the service to 
> the rest of users.

Use access-lists on recursive servers ( only allow your own hosts ), 
have no-recursion on your auhorative servers. Is that what you mean ?





-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list