[dns-operations] question for DNS being attacked

Michael Hoskins (michoski) michoski at cisco.com
Thu Jun 28 04:04:47 UTC 2012

if the spoofed addrs are RFC1918 then you can easily block it with
iptables or further upstream since it's not valid traffic.  most likely,
ISPs already block such sources today.

if the srcs are legitimate addresses that have simply been forged, then
you can't entirely block them without risking keeping potentially real
queries out of your server as well.

regardless of whether the addresses are spoofed or not, rate-limiting
would seem to make sense if the damage is coming from non-RFC1918

in that case, RRL might work...or even firewall based rate limiting like
iptables or dummynet.


DDoS in general is the worst type of attack, IMHO.  good luck.

-----Original Message-----
From: pangj <pangj at riseup.net>
Date: Wednesday, June 27, 2012 8:57 PM
To: Paul Vixie <paul at redbarn.org>
Cc: "dns-operations at lists.dns-oarc.net" <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] question for DNS being attacked

>> at<http://www.redbarn.org/dns/ratelimits>  you will find one
>> experimental approach to doing this, if your name server is BIND9. note
>> that this feature is not supported by ISC at this time, but that the
>> authors of the experimental technology would welcome any comments, bug
>> reports, questions, or feedback on the topic.
>Thank you, yes I am running with BIND 9.7.
>Is the RRL based on the incoming source IP?
>since the source IPs are most probably spoofed, how will the patch make
>Email/Jabber/Gtalk: pangj at riseup.net
>Free DNS Hosting with www.DNSbed.com
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list

More information about the dns-operations mailing list