[GTER] RES: DNS queries for "." (ddos reflection attack)

Julião Braga juliao em braga.eti.br
Quarta Janeiro 21 17:17:40 BRST 2009

Pessoalmente e por razões práticas, vou aceitar a opinião abaixo, do JINMEI, 
obtida na lista bind-users, depois de um pequeno debate sobre o assunto:

At Mon, 19 Jan 2009 16:40:28 +1100,
Nathan Ollerenshaw <chrome em stupendous.net> wrote:

> I have an Authoritative BIND server. It is configured to only allow 
> recursive queries from localhost, with recursion disabled for any  remote 
> clients.


> The ideal solution for me, would be a bind configuration option that 
> could rate limit responses based on type; so you could specify that a 
> "REFUSED" reply will only be sent to a given host once per hour, or 
> something like that.

Rate-limiting REFUSED responses doesn't make much sense in this
context, because the response messages are not (that) amplified in
packet size.  Even if you rate-limited REFUSED responses, the attacker
could exploit other attack vectors.  Especially in your case where the
server also acts as an authoritative server, the attacker would just
send a valid non-recursive query for a name in the authoritative zone
with a forged address.

IMO, it's not worth considering a counter measure for a non-amplifying
DoS attacks, especially if it can make the implementation complicated.

JINMEI, Tatuya
Internet Systems Consortium, Inc.
bind-users mailing list
bind-users em lists.isc.org

More information about the gter mailing list