Blocking DoS on Bind9
Barry Margolin
barmar at alum.mit.edu
Fri Aug 24 02:56:42 UTC 2007
In article <faita3$192k$1 at sf1.isc.org>,
Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> The Doctor wrote:
> > Just wondering what methods can be use to stop DoS attcks
> > such as half-open connection overload on port 53 using named.conf ?
> >
> Neither BIND nor any purely user-space app can really prevent "half-open
> connection overload"s (are you trying to describe SYN flooding?), since
> they don't even see the incoming connection until and unless it's fully
> established.
Don't most Unix TCP implementations have SYN-flood protection built into
them these days. And I expect most high-end firewalls also do it at the
border. So it's not generally something one worries about in the
application.
The problem that might have to be dealt with in the application is
fully-open connection overload. Suppose a botnet opens thousands of TCP
connections to port 53, this might fill up the TCP stack's connection
queue.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list