From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-146190-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id B820C138010
	for <garchives@archives.gentoo.org>; Thu, 28 Mar 2013 15:38:33 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 98DA1E07F1;
	Thu, 28 Mar 2013 15:38:20 +0000 (UTC)
Received: from mail-ie0-f177.google.com (mail-ie0-f177.google.com [209.85.223.177])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 02D1EE0760
	for <gentoo-user@lists.gentoo.org>; Thu, 28 Mar 2013 15:38:18 +0000 (UTC)
Received: by mail-ie0-f177.google.com with SMTP id tp5so7442984ieb.36
        for <gentoo-user@lists.gentoo.org>; Thu, 28 Mar 2013 08:38:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:x-enigmail-version:content-type;
        bh=28cUnW43/n/Jd36VGTUckIZncZBBe4zNvxcXXdoj3yM=;
        b=Oz2W7qcMA3dhJhjlDLToRtYvnRtHqYm4i57cIvxuKNuNQdGM+pIfUOA77Jpc9ILtQe
         79dZhPXXLwFe1z30rTHmSqTKAaxSccIxvmdnQ3CqOd9ohcBqqTSDrND0kobpq9kTQNt+
         jpfwY9dfNaOoyp1PqdOkJsm2OuaVOaae61EjjRwEYD7t8hxaOwcnySfBvhY09OctsytF
         bANh27WCA0F5BBjfPpuKNTkdB8r/iEuV1U4JL8hYEKPHvBccPhis7XG8n4pz4jPhQnuY
         LSNtucGegC0ga1t4gbpw+UXrN16c7Q7DvEIg7iqtg874Tizg1hfafVs02CuMxb8QUK6s
         doFw==
X-Received: by 10.50.136.138 with SMTP id qa10mr7113213igb.74.1364485098170;
        Thu, 28 Mar 2013 08:38:18 -0700 (PDT)
Received: from ?IPv6:2001:5c0:1000:a::beb? ([2001:5c0:1000:a::beb])
        by mx.google.com with ESMTPS id in10sm11784046igc.1.2013.03.28.08.38.17
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 28 Mar 2013 08:38:17 -0700 (PDT)
Message-ID: <515463E0.60607@gmail.com>
Date: Thu, 28 Mar 2013 11:38:08 -0400
From: Michael Mol <mikemol@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] How to prevent a dns amplification attack
References: <51540497.5020008@smash-net.org>
In-Reply-To: <51540497.5020008@smash-net.org>
X-Enigmail-Version: 1.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="----enig2WRKIHBNAEJBVHHFOOWUM"
X-Archives-Salt: b004ed2e-8a58-46a6-9c6e-a2ed9b0c78f0
X-Archives-Hash: 5ed275c43bbb739b00a971091fcafd9b

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2WRKIHBNAEJBVHHFOOWUM
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

On 03/28/2013 04:51 AM, Norman Rie=DF wrote:
> Hello,
>=20
> i am using pdns recursor to provide a dns server which should be usable=

> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
>=20
> Does anyone got an idea about this?

I'm not sure it can be done. You can't make a resolver available to
"everybody" without somebody in that "everybody" group abusing it, and
that's exacly what happens in a DNS amplification attack.

Restrict your resolver to be accessible only to your network or, at
most, those of the specific group of people you're seeking to help.

You *might* try restricting the resolver to only respond to TCP requests
rather than UDP requests, but if the resolver sends response data along
with that first SYN+ACK, then nothing is solved, and you've opened
yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
went offline as a result of a SYN flood, at least it wouldn't be part of
an amplification attack any longer...)


------enig2WRKIHBNAEJBVHHFOOWUM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRVGPjAAoJED5TcEBdxYwQ1JkIAI+8q5edu+qt8Bk6vW4umW16
2khIyuR0tTnnBvOwpwuG27YqAGxrL67l2HbIkUOTesd+/wP1Eyg8t0p8GXFiGQD8
VoRqyEQ+zDEfT8Hten0HEbotJC2rweXMhtl9GwheG74goJtx81psXrpVJdzyp7ha
bsZJogbbonDkYnLu9zfJqzOgZ2whxAKMDnP8Ct8LJXZZVgtSTLJIQ5k/QM5IGET4
fWfWg5PT4PhC69IEYKnKmhHA9909rMRc5C2gzp+Q3UHKVw89cSiGC+wPzW6zcJuz
MZD0D4d3dX4qrJ9dbCgrM4j+IVkuL0RzmryIgeOZb2+4EXM8Ieuemlk0CG5eYA0=
=R7x4
-----END PGP SIGNATURE-----

------enig2WRKIHBNAEJBVHHFOOWUM--