[dns-operations] DoS with amplification: yet another funny Unix script
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Sep 12 09:23:07 UTC 2012
On 11.09.2012 18:38, Vernon Schryver wrote:
>> The tuple <mask(IP), imputed(NAME), errorstatus> is used to select a
>> >state blob. In the amplification attacks on our authoritative servers we
>> >Thus, it may take some time until the attacker starts with domain1.com
>> >again. If I understand the Responder Behavior correct, this would mean
>> >that filtering is never triggered if a domain is not queried
>> >RESPONSES-PER-SECOND times per second. Or do I miss something here?
>
> I'm not sure I understand. If that points out that an attack that is
> too diffuse to be noticed by the BIND RRL code might be noticed by a
> firewall rule, then I agree. I'd also say that can be seen as a feature
> instead of a defect, because during less diffuse attacks, legitimate
> requests from the forged CIDR block will still be answered.
My concern was that the attack might be too diffuse to this RRL approach
as with changing imputed(NAME) always a different state blob is chosen,
thus a single attacker may generate lots of state blobs without
triggering blocking.
Generally I agree that RRL is more generic and can deal also with new,
not yet known attack scenarios. With the currently seen attack on our
servers (ANY, RD bit set, port correlates with transcation ID), an
iptables rule will be more efficient, but of course is limited to this
single attack.
regards
Klaus
More information about the dns-operations
mailing list