[GTER] RES: DNS queries for "." (ddos reflection attack)
juliao em braga.eti.br
Quarta Janeiro 21 17:17:40 BRST 2009
Pessoalmente e por razões práticas, vou aceitar a opinião abaixo, do JINMEI,
obtida na lista bind-users, depois de um pequeno debate sobre o assunto:
At Mon, 19 Jan 2009 16:40:28 +1100,
Nathan Ollerenshaw <chrome em stupendous.net> wrote:
> I have an Authoritative BIND server. It is configured to only allow
> recursive queries from localhost, with recursion disabled for any remote
> The ideal solution for me, would be a bind configuration option that
> could rate limit responses based on type; so you could specify that a
> "REFUSED" reply will only be sent to a given host once per hour, or
> something like that.
Rate-limiting REFUSED responses doesn't make much sense in this
context, because the response messages are not (that) amplified in
packet size. Even if you rate-limited REFUSED responses, the attacker
could exploit other attack vectors. Especially in your case where the
server also acts as an authoritative server, the attacker would just
send a valid non-recursive query for a name in the authoritative zone
with a forged address.
IMO, it's not worth considering a counter measure for a non-amplifying
DoS attacks, especially if it can make the implementation complicated.
Internet Systems Consortium, Inc.
bind-users mailing list
bind-users em lists.isc.org
More information about the gter