[dns-operations] First experiments with DNS dampening to fight amplification attacks
klaus.mailinglists at pernau.at
Mon Oct 29 13:26:37 UTC 2012
On 29.10.2012 11:13, Dobbins, Roland wrote:
> On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:
>> We apply iptables based rate-limiting on ANY queries with RD bit set.
> The problem with fronting your DNS servers with a stateful firewall is that it makes it susceptible to trivial state-exhaustion attacks. This is not a good idea.
It depends on the implementation of the firewall. For example most
iptables modules which saves states have a limited number of resources
to keep state. If the max. number of entries is reached, it usually
deletes an old one. So, the result may not be perfect, but it is better
then no rules at all.
And as I said, it is not a general solution but works fine for us.
Sometimes it is simpler to wait and watch what the attackers do, and if
the attacks are getting to noisy, do something effective against it.
Thinking of all possible scenarios that an attacker could do and then
finding an solution which handles all of these scenarios is sometimes
not worth the effort, especially as we see amplification attacks not as
a real serious problem for our name servers, but just annoying.
More information about the dns-operations