DDOS attack Bind 9.9 - P2

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Thu May 2 20:06:27 UTC 2013

----- Original Message -----
> > Patch BIND to include the RRL (Response Rate Limiting) patches
> > (http://www.redbarn.org/dns/ratelimits), blackhole/ignore those
> > clients requesting.
> The fact that Response Rate Limiting (RRL) does not blackhole/ignore
> clients is a feature and why it is a better mitigation for DNS
> Reflection DoS attacks than mechanisms that do blackhole/ignore
> clients.  The apparent DNS clients in DNS reflection attacks is
> usually not the source of the evil requests, but forged by bad guys
> trying to attack the nominal clients.  Because RRL limits rate of
> any particular response sent to any particular client address block,
> the client is generally able to get responses for its legitimate
> requests and often will not notice the attack.
> Naively blackholing/ignoring the forged client as with common
> firewall rules does stop attacks, but lets the bad guy deny name
> service to the client.  Breaking host name resolution has been a
> part of many security attacks over the years.
>   ...

So does rate limiting cover when the attacker walks my DNS zone to attack an IP?

According to IT Security two my on campus authoritative only nameservers were used where they seemed to be walking our DNS zone with the target an IP in sprint's network.

I'm curious what kind of walking it was doing....did they harvest what names exist or did they just try names in sequence...and not care if a lot of the responses are DNSSEC assured denial of existence....suppose the latter would qualify as a type of response that can be limited?

>    ...
> ] Many people will not compromise critical daemons by using third
> party
> ] *unofficial* patches.
> I don't know the status of the CZ-NIC Knot DNS or the NLNetLabs NSD
> RRL code.  Perhaps that either of those is "third party" or
> "unnofficial,"
> although I have the impression that is at least partly wrong.
> The BIND RRL patch on http://www.redbarn.org/dns/ratelimits are
> unofficial, and so it is reasonable to be skeptical and wait for an
> official release.  However, for obvious reasons it is not really
> accurate to label the BIND RRL patch as "third party."
>  "Pre-pre-release"
> is a more accurate characterization of the BIND RRL.  Please note
> that
> users of the FreeBSD bind98 and bind99 ports can get the RRL code
> without messing with the patch command.  See
> https://www.google.com/search?q=site%3Afreebsd.org+bind+rrl

Currently the official position that I'm working under is to wait for "official" inclusion of the feature.  On the otherhand, I've been wanting to do a refresh of DNS infrastructure (2 Solaris10-SPARC and 16 Solaris10-x64 - hardware is a couple of V240's, a couple of X4170's and the rest are X4100's)  To something all FreeBSD based.

In the meantime....I'm debating the impact of setting minimal responses on my authoritative-only nameservers.  4 of the Solaris10-x64 servers are my authorititative only nameservers... and one is my stealth master.....

Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library

More information about the bind-users mailing list