DNS queries limitation by host ?

Danny Mayer mayer at gis.net
Tue Aug 24 16:58:14 UTC 2004


At 03:35 AM 8/24/2004, Ladislav Vobr wrote:

> > However, there are more sophisticated DNS (D)DoS attacks possible,
> > including:
> > 1. Querying a wide range of long-TTL names with the aim of filling up
> > the cache with junk, or
> > 2. Querying names which are known to have unreachable nameservers,
> > broken delegations, or other forms of DNS nastiness, with the aim of
> > busying out the victim resolver with retries, error recovery, logging, etc.
> >

Block recursion so you only respond to requests for which you are authorative.

> > These kinds of (D)DoS attacks might give more "bang for the buck" per
> > query and thus allow the attack to succeed even as it flies under the
> > radar of a router-based rate-limiting scheme. It might be impossible in
> > some scenarios (because the routers don't have access to the resolver's
> > state information) or at the very least cost-prohibitive, to put code in
> > the routers to foil such attacks and therefore might be better to put it
> > in the resolver code.
>
>it is not so difficult to get bind amplify 1 udp packet hundred, two
>hundred times, and it is done so quietly that nobody (administrators)
>have a clue about it, no logs, no warnings. It is bind internal design.
>I did simple test with some unreachable nameservers, for 1 request bind
>sent 125 outgoing requests.
>
>This kind of flooding is daily routine for many authoritative servers,
>since their brothers :-) high rate recursive bind servers (who don't
>cache timeouts, don't cache servfail, don't slow down with the time, and
>don't provide all, what they cache,) send out 10,20, 100 ... times
>amplified requests to the authoritative servers. Definitely there is
>some misconfiguration in place but usually on the authoritative server
>side (zone expired, misconfiguration, servfail, reachibility...), but
>not on the recursive server side. What happens, providers blocks the
>source of such floods, which are recursive bind nameservers, configured
>as per the best recommendations, basically doing what bind developers
>think is perfectly fine to do.
>
>We have got blocked several times, because of excessive traffic from our
>recursive bind servers to remote authoritative servers, what can we do
>about it, when bind itself doesn't bother even to log unreachable
>servers or the recursive queue details.

You need to remember that the DNS protocol is stateless. A nameserver
considers each query on its own without regard to previous queries. The only
information it saves in cache are responses to its own queries to other
nameservers. To add rate limiting would require changes to store previous
query information. It also requires a massive increase in memory to remember
that information and well as longer lookup times while it checks for previous
queries from the same source. You really want to do this? It's faster to
just send back an answer to the query.

Danny



More information about the bind-users mailing list