[dns-operations] DoS with amplification: yet another funny Unix script

Klaus Darilion klaus.mailinglists at pernau.at
Wed Sep 12 09:23:07 UTC 2012

On 11.09.2012 18:38, Vernon Schryver wrote:
>> The tuple <mask(IP), imputed(NAME), errorstatus> is used to select a
>> >state blob. In the amplification attacks on our authoritative servers we
>> >Thus, it may take some time until the attacker starts with domain1.com
>> >again. If I understand the Responder Behavior correct, this would mean
>> >that filtering is never triggered if a domain is not queried
>> >RESPONSES-PER-SECOND times per second. Or do I miss something here?
> I'm not sure I understand.  If that points out that an attack that is
> too diffuse to be noticed by the BIND RRL code might be noticed by a
> firewall rule, then I agree.  I'd also say that can be seen as a feature
> instead of a defect, because during less diffuse attacks, legitimate
> requests from the forged CIDR block will still be answered.

My concern was that the attack might be too diffuse to this RRL approach 
as with changing imputed(NAME) always a different state blob is chosen, 
thus a single attacker may generate lots of state blobs without 
triggering blocking.

Generally I agree that RRL is more generic and can deal also with new, 
not yet known attack scenarios. With the currently seen attack on our 
servers (ANY, RD bit set, port correlates with transcation ID), an 
iptables rule will be more efficient, but of course is limited to this 
single attack.


More information about the dns-operations mailing list