From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 09240138010 for ; Thu, 28 Mar 2013 20:51:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8439CE097A; Thu, 28 Mar 2013 20:51:15 +0000 (UTC) Received: from nm20.bullet.mail.ird.yahoo.com (nm20.bullet.mail.ird.yahoo.com [77.238.189.77]) by pigeon.gentoo.org (Postfix) with SMTP id E4E02E093B for ; Thu, 28 Mar 2013 20:51:13 +0000 (UTC) Received: from [77.238.189.233] by nm20.bullet.mail.ird.yahoo.com with NNFMP; 28 Mar 2013 20:51:13 -0000 Received: from [217.146.189.64] by tm14.bullet.mail.ird.yahoo.com with NNFMP; 28 Mar 2013 20:51:13 -0000 Received: from [127.0.0.1] by smtp144.mail.ird.yahoo.com with NNFMP; 28 Mar 2013 20:51:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1364503873; bh=1+qO7V9LG0y8m2xY4Cwx6KjwX0jexQ1U2t/1LjETo8k=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Date:From:To:Subject:Message-ID:In-Reply-To:References:Mime-Version:Content-Type:Content-Transfer-Encoding; b=IMukFVcovI8Y0z7z3WhPxPnv7aq4A/zstPuxo0eN9niKFbOSJ9fT6yobgr36EJWCH+iKx4n4JVohBC9x0Ozq4uW+H2HpqPaKOP+gCnR8LZZZdnP/SttMUrsFa2G9MwNAcpELM+527OhErC8ELs1iHCJNvCbDjsXO8tfRljkGvL0= X-Yahoo-Newman-Id: 115240.43832.bm@smtp144.mail.ird.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: KNaK8C4VM1lBXsJzvi4JEhEK.mPqxHc.A_Squ6.mXZOj0RR kYdQ7aiaSxSNAIcWHFDTA1TynnyKk.kYf9DdxV6t72KkR3CtHN7xYSAbrOd_ lYqXI7I0W0L4hrCV2P6EcOVF6_K3h8dMx9WwvVmyIQYos1GQF0BuWbZB9vdJ kqVg0rd5EtJnU_PPvFChg9avWLSyXQncflEqaJl9Ek98YoOwlOGqPqu2Od5M LB7Fi7nakv1jP05Kg4akHRJ92C.x2LLeeF_vOfkAHT71wSh6A7PMtPhhxF1z CkpiSK1_QCG.a89FVob9Ixp2D65nYnwdXKcjTcOYRBEhOcfVHEpUlHDGpC6j m.dhwlaezLGsoxrWmmn0M59NTX_RrvUHucfgTLwfcmTktv8hU_KtZCoB2P5f vnMqqiYevbvHth6aZq2T0uIE_vI_4W4AzMGdJgAiKmuwdkOzM_V4J X-Yahoo-SMTP: UxXxlhuswBC4wbdewolpwSmT1iJVzQ-- X-Rocket-Received: from kc-sys.chadwicks.me.uk (ma1l1ists@92.27.156.6 with login) by smtp144.mail.ird.yahoo.com with SMTP; 28 Mar 2013 13:51:13 -0700 PDT Date: Thu, 28 Mar 2013 20:51:51 +0000 From: Kevin Chadwick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack Message-ID: <20130328205151.7d03b413@kc-sys.chadwicks.me.uk> In-Reply-To: References: <51540497.5020008@smash-net.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 08ae7304-31f8-4399-9c06-204dbf80abea X-Archives-Hash: 17bbdb4c0730a9ddde9df3ac1f4284cd On Thu, 28 Mar 2013 16:12:04 +0100 Volker Armin Hemmann wrote: > > Hello, > > > > i am using pdns recursor to provide a dns server which should be > > usable for everybody.The problem is, that the server seems to be > > used in dns amplification attacks. > > I googled around on how to prevent this but did not really find > > something usefull. > > > > Does anyone got an idea about this? I haven't looked into it but. You could perhaps reduce the amplification by looking for trends that maximise response sizes such as the 100x amp against spamhaus of late, but you would be fighting against the wind and only buying time. Rate limiting may work but bear in mind that so many servers could be used that attacks maybe ongoing and you wouldn't notice, again you may be able to make attackers need to be subtler or go to more effort like for spam but you are not going to eradicate it. Really you would need some sort of network of dns servers communicating about who they are hurting as thankfully there is often a single victim, but really it would be better if the IETF had listened to the dangers and even now simply redesigned DNSSEC. As for tcp I used to have all my OpenBSD clients resolvers using the tcp option in resolv.conf but I haven't noticed another OS's resolver with that option. There are decent protections against syn floods but I assume you are wanting random clients to connect.