[GTER] RES: DNS queries for "." (ddos reflection attack)
Julião Braga
juliao at braga.eti.br
Wed Jan 21 17:17:40 -02 2009
Pessoalmente e por razões práticas, vou aceitar a opinião abaixo, do JINMEI,
obtida na lista bind-users, depois de um pequeno debate sobre o assunto:
"
At Mon, 19 Jan 2009 16:40:28 +1100,
Nathan Ollerenshaw <chrome at stupendous.net> wrote:
> I have an Authoritative BIND server. It is configured to only allow
> recursive queries from localhost, with recursion disabled for any remote
> clients.
[snip]
> The ideal solution for me, would be a bind configuration option that
> could rate limit responses based on type; so you could specify that a
> "REFUSED" reply will only be sent to a given host once per hour, or
> something like that.
Rate-limiting REFUSED responses doesn't make much sense in this
context, because the response messages are not (that) amplified in
packet size. Even if you rate-limited REFUSED responses, the attacker
could exploit other attack vectors. Especially in your case where the
server also acts as an authoritative server, the attacker would just
send a valid non-recursive query for a name in the authoritative zone
with a forged address.
IMO, it's not worth considering a counter measure for a non-amplifying
DoS attacks, especially if it can make the implementation complicated.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users"
"
More information about the gter
mailing list