[dns-operations] First experiments with DNS dampening to fight amplification attacks

Klaus Darilion klaus.mailinglists at pernau.at
Mon Oct 29 13:26:37 UTC 2012

On 29.10.2012 11:13, Dobbins, Roland wrote:
> On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:
>> We apply iptables based rate-limiting on ANY queries with RD bit set.
> The problem with fronting your DNS servers with a stateful firewall is that it makes it susceptible to trivial state-exhaustion attacks.  This is not a good idea.

It depends on the implementation of the firewall. For example most 
iptables modules which saves states have a limited number of resources 
to keep state. If the max. number of entries is reached, it usually 
deletes an old one. So, the result may not be perfect, but it is better 
then no rules at all.

And as I said, it is not a general solution but works fine for us.

Sometimes it is simpler to wait and watch what the attackers do, and if 
the attacks are getting to noisy, do something effective against it. 
Thinking of all possible scenarios that an attacker could do and then 
finding an solution which handles all of these scenarios is sometimes 
not worth the effort, especially as we see amplification attacks not as 
a real serious problem for our name servers, but just annoying.


More information about the dns-operations mailing list