Bind9 overloaded, recursive clients and timeout.

Kevin Oberman oberman at es.net
Wed Feb 10 16:09:59 UTC 2010


> Date: Wed, 10 Feb 2010 10:16:18 -0500
> From: Dave Sparro <dsparro at gmail.com>
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> On 2/9/2010 7:28 PM, Mark Andrews wrote:
> > In message<4B719346.4020002 at arcelormittal.com>, Cedric Lejeune writes:
> >    
> >> In fact, our firewall was doing some kind of traffic shaping (thanks
> >> Robert ;): if the number of requests of any type goes above a define
> >> number, then block further requests.
> >>      
> > Care to share, with the list, the vendor and model numbers so that
> > others will be aware of what to look out for if they have or intend
> > purchasing the firewall.
> >    
> 
> I'd bet that any make/model of firewall can be configured to block or 
> hinder the very services they are intended to protect.

In general, stateful firewalls in front of servers are simply a DOS
vulnerability. They are almost always a bad idea (and the "almost" is
debatable). A typical UNIX server is quite capable of handling a DOS
load that will cause a stateful FW to close up chop and die.

Firewalls are fine for protecting clients, but are of little or no use
for protecting servers. Unfortunately, many places have rules mandating
firewalls and they are sitting ducks, but I have tried to explain the
issue to the security folks who simply say that you MUST have a
firewall.A good solution is to simply configure the firewall to act as a
stateless device and just pass traffic that was not blocked by the ACL.

A real-time black hole server in combination with ACLs is the only good
way to protect a server.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



More information about the bind-users mailing list