nanog mailing list archives
Re: Open DNS Resolver reflection attack Mitigation
From: Joe Maimon <jmaimon () ttec com>
Date: Fri, 08 Jun 2012 15:48:48 -0400
Stephane Bortzmeyer wrote:
On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon<jmaimon () ttec com> wrote a message of 7 lines which said:Is there any publicly available rate limiting for BIND?Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough.
I really hope you have a minority viewpoint on this one. I would really like to see it.
How about host-based IDS that can be used to trigger rtbh or iptables?What I do (I manage a small and experimental open resolver) is to use iptables this way (porting it to IPv6 is left as an exercice): iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP So, every prefix (length 28) can send 20 r/s with allowed bursts of 100. This requires a Netfilter>= 1.4 (recent options of module hashlimit).
Missing the amplification factor goodness google says they have, but I'll take it.
https://developers.google.com/speed/public-dns/docs/security
Most iptables recipes that you find on the Web are not well suited to DNS. They use connection tracking, for instance, while, with the DNS, every request/response is a "connection". I have a more complete article on this setup but in french only <http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
This sounds promising. I will give it a spin. Thank you!
Google and Level3 manage to run open resolvers, why cant I?You have less money :-)
With help like yours, I hope to compensate for that. Joe
Current thread:
- Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- rate limiting (Re: Open DNS Resolver reflection attack Mitigation) Paul Vixie (Jun 10)