[dns-operations] annoying DDoS attack on ns0.rfc1035.com

[Paul Vixie]

On 2012-06-10 8:45 AM, Jim Reid wrote:
> On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
>> The iptables rules mentioned in the first comment work well for us
>
> Well for starters, I [dw]on't use Linux. The server runs FreeBSD.

what f-root has done for the last ten years (also on freebsd) is:

add     pipe 1          udp     from any to any 53 in
pipe 1  config  mask src-ip 0xffffffff buckets 1024 bw 400Kbit/s queue 3
add     pipe 2          tcp     from any to any 53 in
pipe 2  config  mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3

note, this approach, and the iptables approach, are inadequate since
they look only at the query ip, whereas rate limiting has to take the
desired response into account. i say desired response because one of the
myriad attack formats of interest is <randomstring>.<domain> where
"domain" is dnssec signed. here the desired response will be of the form
"NXDOMAIN, proof from 'domain'". these have to be rate limited also, and
there's no way to do that upstream of the name server. which brings me to:

> Besides, the damage is done by the time these packets hit the server's
> ethernet card. At ~4000qps inbound, this is close to saturating the
> server's VLAN in the data centre. The traffic needs to be blocked
> before it reaches that. ...

i don't agree. 4Kqps is no big deal in input, it's the output that would
cost you money. and as described above, there's no accurate rate
limiting possible upstream of the name server; one has to know the
proposed response before one can decide whether a given response ought
to be dropped.

paul