Advisory Notice for Bind Default Configuration and Reflector Attacks

Jun-ichiro itojun Hagino itojun at
Thu Mar 23 18:21:24 UTC 2006

> No, that is the normal "referral" response that you should get
> from a server which refuses to recurse on your behalf.  There is
> still an amplification in terms of the number of bytes sent vs.
> received, but you don't amplify the number of packets.

	ok, that's what i thought.

> We need to think about this.  Do we really want to be forced to
> take the djbdns solution of ignoring all out-of-zone queries?  That
> is just one of the things I have hated most about djbdns, but I am
> just one voice.  Am I so wrong to hate that mode of operation?

	we could do something more user-friendly.
	for example, we could make an "offenders list" who sent recursive
	queries from outside of "allow-recursive" network.  if an offender
	IP address have sent N packets, we go to "ignore query that guy" mode.
	"offenders list" can be made by a simple radix tree, and then we could
	find "offenders network".

	"offenders" IP addresses are usually "victims" of DoS, so we could
	warn those victims network/contact CERT/whatever.


More information about the bind-workers mailing list