[dns-operations] Recently closed open resolver and reflection attacks

Paul Vixie paul at redbarn.org
Thu Mar 7 02:02:50 UTC 2013



Scott Brynen wrote:
> if you're not using the absolute latest bind, you can do a quick and nasty using IPTABLES.

likewise ipfw. however, these would be request-based thresholds, which
has an unacceptably high rate of both false positive and false negative.
i strongly recommend against this approach when protecting remote
victims. iptables and ipfw can be used with very high thresholds (20X
the thresholds used for RRL) in order to protect a name server, but at
that threshold you will do nothing to protect remote victims.

paul

re:

>
> Basically; if you get more than 12 hits in 75 seconds from the same IP, start dropping them.  There are few DNS situations where a client would make that many requests back to back to back, and even if you start denying them, their resolver (if it's real) should just switch over to another NS server.
>
> iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update --seconds 75 --hitcount 12  --name DNSTHROTTLE --rsource -j DROP
> iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT --set --name DNSTHROTTLE --rsource
>
>
>>> I recently help close down an open recursive resolver.  It is still getting a lot of queries for isc.org/ANY which get a refused response (unless
>>> slipped/dropped by RRL).  Granted, this doesn't amplify the attack since REFUSED is a fairly small packet, but it is still traffic to the attacked site. 
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130306/cbff786c/attachment.html>


More information about the dns-operations mailing list