Blocking DoS on Bind9 - BIND mitigating abuseware traffic

Fr34k freaknetboy at yahoo.com
Fri Sep 7 00:27:21 UTC 2007


Hello List,
   
  What other tips/suggestions/options do we have to help deal with abuseware traffic?
   
  I am aware of limiting recursive queries to authorized hosts via allow-query/allow-recursion, which is helpful in limiting exposure. However, consider authorized hosts.
   
  For example, spam sending zombie PCs making hundreds/thousands of MX queries in minutes. Until such machines are innoculated, how can BIND be tweaked so such traffic does not compromise legitimate queries?
   
  Note that this is just an example and I am open to any suggestions.
   
  Thank you -- Chris
  
Mark Andrews <Mark_Andrews at isc.org> wrote:
  
> The Doctor wrote:
> > Just wondering what methods can be use to stop DoS attcks
> > such as half-open connection overload on port 53 using named.conf ?
> > 
> Neither BIND nor any purely user-space app can really prevent "half-open 
> connection overload"s (are you trying to describe SYN flooding?), since 
> they don't even see the incoming connection until and unless it's fully 
> established.
> 
> You'd need something with deeper hooks into the TCP/IP stack, or a 
> separate device, in order to prevent those.
> 
> It should be noted that most normal DNS traffic uses UDP not TCP. Unless 
> you're serving up a lot of huge RRsets that necessitate TCP retries, it 
> should be fairly easy to set, within your Intrusion Prevention device or 
> firewall, a reasonable threshold on SYN packets incoming to port 53. You 
> might want to make exceptions, of course, for slaves that use the 
> standard AXFR/IXFR-based method for replication of zone data, since that 
> uses TCP as well (IXFR can use UDP, but will fail over to AXFR under 
> certain circumstances, that's why I lump them together).
> 
> - Kevin

Named will also, by default, use the "dataready" accept
filter if it is available. There has also been some work
done on a "dnsready" accept filter. The listen queue length
is also controllable from named.conf (tcp-listen-queue).

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org







More information about the bind-users mailing list