Blocking DoS on Bind9 - BIND mitigating abuseware traffic

Mark Andrews Mark_Andrews at isc.org
Fri Sep 7 01:24:44 UTC 2007


> Hello List,
>    
>   What other tips/suggestions/options do we have to help deal with abuseware 
> traffic?
>    
>   I am aware of limiting recursive queries to authorized hosts via allow-quer
> y/allow-recursion, which is helpful in limiting exposure. However, consider a
> uthorized hosts.
>    
>   For example, spam sending zombie PCs making hundreds/thousands of MX querie
> s in minutes. Until such machines are innoculated, how can BIND be tweaked so
>  such traffic does not compromise legitimate queries?
>    
>   Note that this is just an example and I am open to any suggestions.
>    
>   Thank you -- Chris

	Put the machine in a walled garden.  Give it is own resolver
	to share with all the rest of the machines in the walled garden.
	That way it is not causing your other customers problems and it
	is not causing the rest of the world problems either.

	Just about all ISP's have clauses in their AUPs against this sort
	of thing.  They really should be exercised.

> Mark Andrews <Mark_Andrews at isc.org> wrote:
>   
> > The Doctor wrote:
> > > Just wondering what methods can be use to stop DoS attcks
> > > such as half-open connection overload on port 53 using named.conf ?
> > > 
> > Neither BIND nor any purely user-space app can really prevent "half-open 
> > connection overload"s (are you trying to describe SYN flooding?), since 
> > they don't even see the incoming connection until and unless it's fully 
> > established.
> > 
> > You'd need something with deeper hooks into the TCP/IP stack, or a 
> > separate device, in order to prevent those.
> > 
> > It should be noted that most normal DNS traffic uses UDP not TCP. Unless 
> > you're serving up a lot of huge RRsets that necessitate TCP retries, it 
> > should be fairly easy to set, within your Intrusion Prevention device or 
> > firewall, a reasonable threshold on SYN packets incoming to port 53. You 
> > might want to make exceptions, of course, for slaves that use the 
> > standard AXFR/IXFR-based method for replication of zone data, since that 
> > uses TCP as well (IXFR can use UDP, but will fail over to AXFR under 
> > certain circumstances, that's why I lump them together).
> > 
> > - Kevin
> 
> Named will also, by default, use the "dataready" accept
> filter if it is available. There has also been some work
> done on a "dnsready" accept filter. The listen queue length
> is also controllable from named.conf (tcp-listen-queue).
> 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> 
> 
> 
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list