Dropping external recursive requests
Mark_Andrews at isc.org
Thu Dec 4 02:15:10 UTC 2008
In message <535d31e1-08e9-4e3c-aa94-f127f2ae4220 at 41g2000yqf.googlegroups.com>,
john at feith.com writes:
> On Dec 3, 6:26 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> > If it is a forged packet it should be dropped regardless of the setting
> > of RD.
> True, however not something that's easily determined from a distance.
> Ideally ingress filtering would render this a non-issue, however
> there obviously holes in the current filtering done by ISPs.
> > If the only reason to think the packet is forged is the setting
> > of RD=1 then the OP has committed a reasoning error.
> The situation that we've encountered on a couple of occasions
> is a steady stream (several a second) of the exact same query
> with the same source address for several days. When we contact
> the owner of the source address, they state they're under DDoS
> attack and are not the source of the request. Part of the attack
> they experience is the Refused response from our DNS server.
And you are also under attack so dropping in *that* case
is acceptable. You have identified that dropping recursive
queries from *that* source will cause no harm.
You configuration has already mitigated a large proportion
of the damage by not amplifying the traffic. Dropping rd=1
packets won't stop reflector attacks.
If you are running a authoritative server you are a potential
reflector and there is nothing you can do to prevent it being
> > Also rd being set my just be the result of someone testing with
> > a tool which sets rd by default.
> In which case they can change the setting.
And how are they to realise that without a reply?
I'm getting no response so maybe I need to disable recursion
is not part of the standard diagnotic steps. Read the list
and see how many times we tell people to disable recursion
when testing a delegation and that with replies.
> Which is worst ... occasionally dropping a request from someone
> using a misconfigured tool / server, or participating in a larger
> DDoS attack?
> Granted that dropping external requests with RD=1 doesn't
> eliminate the potiental for DDoS attacks, it just changes it.
> > One needs to be really, really careful here.
> Understood ... and I realize that things shouldn't be oversimplified
> (i.e. by assuming RD=1 must mean an evil request). Part of the
> purpose for this post is to start a discussion on the pros / cons.
That discussion has been done to death elsewhere.
> -- John
> john at feith.com
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users