Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick <ma1l1ists@yahoo.co.uk>]

On Thu, 28 Mar 2013 16:12:04 +0100
Volker Armin Hemmann <volkerarmin@googlemail.com> wrote:

> > Hello,
> >
> > i am using pdns recursor to provide a dns server which should be
> > usable for everybody.The problem is, that the server seems to be
> > used in dns amplification attacks.
> > I googled around on how to prevent this but did not really find
> > something usefull.
> >
> > Does anyone got an idea about this?

I haven't looked into it but.

You could perhaps reduce the amplification by looking for trends that
maximise response sizes such as the 100x amp against spamhaus of late,
but you would be fighting against the wind and only buying time.

Rate limiting may work but bear in mind that so many servers could be
used that attacks maybe ongoing and you wouldn't notice, again you may
be able to make attackers need to be subtler or go to more effort like
for spam but you are not going to eradicate it.

Really you would need some sort of network of dns servers communicating
about who they are hurting as thankfully there is often a single
victim, but really it would be better if the IETF had listened to the
dangers and even now simply redesigned DNSSEC.

As for tcp I used to have all my OpenBSD clients resolvers using the tcp
option in resolv.conf but I haven't noticed another OS's resolver with
that option. There are decent protections against syn floods but I
assume you are wanting random clients to connect.