DDOS attack Bind 9.9 - P2

Vernon Schryver vjs at rhyolite.com
Thu May 2 22:16:51 UTC 2013

> From: "Lawrence K. Chen, P.Eng." <lkchen at ksu.edu>

> So does rate limiting cover when the attacker walks my DNS zone to
> attack an IP?

that depends on what is meant by "rate limiting" and "walking a DNS zone".

Simple rate limiting that counts all requests ostensibly from a
single IP address regardless of (qname,qtype) differs from response
rate limiting (RRL) which counts distinct responses.

"Walking a zone" can differ from walking a zone's valid names (perhaps
based on NSEC RRs or arithmetic as in a reverse zone).

Simple rate limit is required to mitigate zone walking for valid names
not based on a wildcard, because the valid responses differ for RRL.
If you read the BIND9 RRL documentation, then you will find that simple
rate limiting is supported by the BIND9 RRL patch.  However, simple
rate limiting is best done in a separate firewall to avoid spending
CPU cycles, memory bandwidth, and other resources of the DNS server.

Responses based on a wildcard or error responses such NXDOMAIN or
REFUSED responses are considered identical by RRL and so are limited
by the BIND RRL patch.

On the other hand, an attack from ambitious bad guy who has built a
list of 1,000,000 triples of (qname,qtype,DNS server IP) and does not
hit any single DNS server more often than 5 requests/second will not
be detected by any of the servers and so cannot be mitigated at the
servers even with simple rate limiting.  It is in a sense fortunate
that DNSSEC is still so rare that finding 1,000,000 DNS server IP
addresses with large amplification requires more effort than other
reflection mechanisms.

Vernon Schryver    vjs at rhyolite.com

P.S. Maybe there should be an FAQ somewhere, because it seems as if
 I've written something similar often enough to irritate others.

More information about the bind-users mailing list