Blocking DoS on Bind9
Mark Andrews
Mark_Andrews at isc.org
Thu Aug 23 03:20:51 UTC 2007
> The Doctor wrote:
> > Just wondering what methods can be use to stop DoS attcks
> > such as half-open connection overload on port 53 using named.conf ?
> >
> Neither BIND nor any purely user-space app can really prevent "half-open
> connection overload"s (are you trying to describe SYN flooding?), since
> they don't even see the incoming connection until and unless it's fully
> established.
>
> You'd need something with deeper hooks into the TCP/IP stack, or a
> separate device, in order to prevent those.
>
> It should be noted that most normal DNS traffic uses UDP not TCP. Unless
> you're serving up a lot of huge RRsets that necessitate TCP retries, it
> should be fairly easy to set, within your Intrusion Prevention device or
> firewall, a reasonable threshold on SYN packets incoming to port 53. You
> might want to make exceptions, of course, for slaves that use the
> standard AXFR/IXFR-based method for replication of zone data, since that
> uses TCP as well (IXFR can use UDP, but will fail over to AXFR under
> certain circumstances, that's why I lump them together).
>
> - Kevin
Named will also, by default, use the "dataready" accept
filter if it is available. There has also been some work
done on a "dnsready" accept filter. The listen queue length
is also controllable from named.conf (tcp-listen-queue).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list