Blocking DoS on Bind9
doctor at doctor.nl2k.ab.ca
Thu Aug 23 14:09:44 UTC 2007
On Thu, Aug 23, 2007 at 01:20:51PM +1000, Mark Andrews wrote:
> > The Doctor wrote:
> > > Just wondering what methods can be use to stop DoS attcks
> > > such as half-open connection overload on port 53 using named.conf ?
> > >
> > Neither BIND nor any purely user-space app can really prevent "half-open
> > connection overload"s (are you trying to describe SYN flooding?), since
> > they don't even see the incoming connection until and unless it's fully
> > established.
> > You'd need something with deeper hooks into the TCP/IP stack, or a
> > separate device, in order to prevent those.
> > It should be noted that most normal DNS traffic uses UDP not TCP. Unless
> > you're serving up a lot of huge RRsets that necessitate TCP retries, it
> > should be fairly easy to set, within your Intrusion Prevention device or
> > firewall, a reasonable threshold on SYN packets incoming to port 53. You
> > might want to make exceptions, of course, for slaves that use the
> > standard AXFR/IXFR-based method for replication of zone data, since that
> > uses TCP as well (IXFR can use UDP, but will fail over to AXFR under
> > certain circumstances, that's why I lump them together).
> > - Kevin
> Named will also, by default, use the "dataready" accept
> filter if it is available. There has also been some work
> done on a "dnsready" accept filter. The listen queue length
> is also controllable from named.conf (tcp-listen-queue).
can someone limited the milliseconds this function uses?
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
Member - Liberal International
This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
PAtriots! MAke your declaration of loyalty!
More information about the bind-users