From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 71894138010 for ; Thu, 28 Mar 2013 16:11:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D9C06E08A6; Thu, 28 Mar 2013 16:10:45 +0000 (UTC) Received: from mail-ia0-f179.google.com (mail-ia0-f179.google.com [209.85.210.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 766DAE07B1 for ; Thu, 28 Mar 2013 16:10:44 +0000 (UTC) Received: by mail-ia0-f179.google.com with SMTP id x24so8411827iak.10 for ; Thu, 28 Mar 2013 09:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=qO2J2Q4udooN9gttW/yBAShXg9U3rVpXN8YrhEVHLys=; b=phyynOBvzNUrHtu6o8IAV3lFkCcmxFByGM6qdLYFjRfOlZSdU3GYHcS5+uLfdrhBuJ RiatNMODtAanFnC0sMH+M8Ax2RF81gbF8G0ko5hgj7aVZ7jwOM1O7KgFPixqruyh8jLr Y3EyK/TmG54esBPy26WYSM78wgqqTJugnhxd5laV+m7NuhoRa1A7j9SfzKdEZdtSqAzG 9D1+1LXyiHFceoYTVaL7rPvOxHGbyClOGcAUUge2LwC0fyDF0+MlLsbFxl+5KVS5A72l 379fKtTXnXLhr3JBQTrTPkVM2WsKrbbRFkVIhVMK8+zkhtWtSQuANQq8ZiRRUx3kapWS QacQ== X-Received: by 10.50.44.5 with SMTP id a5mr7351020igm.86.1364487043699; Thu, 28 Mar 2013 09:10:43 -0700 (PDT) Received: from ?IPv6:2001:5c0:1000:a::beb? ([2001:5c0:1000:a::beb]) by mx.google.com with ESMTPS id ur12sm12386875igb.8.2013.03.28.09.10.41 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Mar 2013 09:10:42 -0700 (PDT) Message-ID: <51546B79.9060908@gmail.com> Date: Thu, 28 Mar 2013 12:10:33 -0400 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <515463E0.60607@gmail.com> In-Reply-To: X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2WNAXFPTDTDOJRDCQCUQI" X-Archives-Salt: d1306a25-6a9a-4b34-b78e-7a208b6b5596 X-Archives-Hash: 892756e7fd74b8b8fe8b92f7460413bc This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2WNAXFPTDTDOJRDCQCUQI Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/28/2013 12:06 PM, Pandu Poluan wrote: >=20 > On Mar 28, 2013 10:38 PM, "Michael Mol" > wrote: >> >> On 03/28/2013 04:51 AM, Norman Rie=C3=9F wrote: >> > Hello, >> > >> > i am using pdns recursor to provide a dns server which should be usa= ble >> > for everybody.The problem is, that the server seems to be used in dn= s >> > amplification attacks. >> > I googled around on how to prevent this but did not really find >> > something usefull. >> > >> > Does anyone got an idea about this? >> >> I'm not sure it can be done. You can't make a resolver available to >> "everybody" without somebody in that "everybody" group abusing it, and= >> that's exacly what happens in a DNS amplification attack. >> >> Restrict your resolver to be accessible only to your network or, at >> most, those of the specific group of people you're seeking to help. >> >> You *might* try restricting the resolver to only respond to TCP reques= ts >> rather than UDP requests, but if the resolver sends response data alon= g >> with that first SYN+ACK, then nothing is solved, and you've opened >> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver >> went offline as a result of a SYN flood, at least it wouldn't be part = of >> an amplification attack any longer...) >> >=20 > Can't we rate limit UDP DNS request? >=20 > E.g., limit each source IP to, let's say, 1 UDP per second? >=20 > That should be doable easily using iptables. That makes the resolver highly unreliable for normal use. Many sites trigger resource grabs from 10-15 different domains. If all but the first request is dropped due to rate limiting, you're going to have a very, very broken experience. ------enig2WNAXFPTDTDOJRDCQCUQI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRVGt9AAoJED5TcEBdxYwQ8IsH/jKhntFxfsZ4mimudBf4donb WrfmK8+qBNZQHI7duzln2RNbvcOTVhjSGB4c7uuU7fcvhW6mpG37awe1nC1ctcGZ agApJBsTTsb8T0KqlITH0irHIQPol6JCI0wD/O+oauu01/1eEd+7GFuUpeBJ8XpQ KCt7FXFduFN0TRotNPWRkLmOBIqNgc2KA342iKyNi3f/otSm8lx2pBdQ89uMNQ2m wpY+BCaNoMk4t1rOhWBbTS72FzuTiIT4nvvL3JrzwWYpvTa0Z6TmEojtN7JkNVwR 3pAMq06Ozwais2iU0c3aDgxXkN7Lku3JgChNGVbMvKvo1GGpMBBzG4yE4umOYns= =Gdxj -----END PGP SIGNATURE----- ------enig2WNAXFPTDTDOJRDCQCUQI--