Advisory Notice for Bind Default Configuration and Reflector Attacks
Jun-ichiro itojun Hagino
itojun at itojun.org
Thu Mar 23 18:21:24 UTC 2006
> No, that is the normal "referral" response that you should get
> from a server which refuses to recurse on your behalf. There is
> still an amplification in terms of the number of bytes sent vs.
> received, but you don't amplify the number of packets.
ok, that's what i thought.
> We need to think about this. Do we really want to be forced to
> take the djbdns solution of ignoring all out-of-zone queries? That
> is just one of the things I have hated most about djbdns, but I am
> just one voice. Am I so wrong to hate that mode of operation?
we could do something more user-friendly.
for example, we could make an "offenders list" who sent recursive
queries from outside of "allow-recursive" network. if an offender
IP address have sent N packets, we go to "ignore query that guy" mode.
"offenders list" can be made by a simple radix tree, and then we could
find "offenders network".
"offenders" IP addresses are usually "victims" of DoS, so we could
warn those victims network/contact CERT/whatever.
More information about the bind-workers