From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 501DD138010 for ; Thu, 28 Mar 2013 18:27:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A69F6E0AA3; Thu, 28 Mar 2013 18:26:53 +0000 (UTC) Received: from smash-net.org (smash-net.org [176.9.155.157]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4242BE0A96 for ; Thu, 28 Mar 2013 18:26:52 +0000 (UTC) Received: from smash-net.org (localhost [127.0.0.1]) by smash-net.org (Postfix) with ESMTP id 0B91427A0209 for ; Thu, 28 Mar 2013 19:26:51 +0100 (CET) Received: by smash-net.org (Postfix, from userid 65534) id E5EC427A0238; Thu, 28 Mar 2013 19:26:50 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on heimdall X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 Received: from [192.168.0.17] (g227080165.adsl.alicedsl.de [92.227.80.165]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smash-net.org (Postfix) with ESMTPSA id 1389327A0209 for ; Thu, 28 Mar 2013 19:26:47 +0100 (CET) Message-ID: <51548B66.3030809@smash-net.org> Date: Thu, 28 Mar 2013 19:26:46 +0100 From: =?ISO-8859-15?Q?Norman_Rie=DF?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130326 Thunderbird/17.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <515463E0.60607@gmail.com> In-Reply-To: <515463E0.60607@gmail.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP X-Archives-Salt: 2fc8d3dd-e358-4fd6-9fe9-7c09023edcf1 X-Archives-Hash: 66503a84c52189f4efdc9bf1f0bf72ff Am 28.03.2013 16:38, schrieb Michael Mol: > On 03/28/2013 04:51 AM, Norman Rieß wrote: >> Hello, >> >> i am using pdns recursor to provide a dns server which should be usable >> for everybody.The problem is, that the server seems to be used in dns >> amplification attacks. >> I googled around on how to prevent this but did not really find >> something usefull. >> >> Does anyone got an idea about this? > > I'm not sure it can be done. You can't make a resolver available to > "everybody" without somebody in that "everybody" group abusing it, and > that's exacly what happens in a DNS amplification attack. > > Restrict your resolver to be accessible only to your network or, at > most, those of the specific group of people you're seeking to help. > > You *might* try restricting the resolver to only respond to TCP requests > rather than UDP requests, but if the resolver sends response data along > with that first SYN+ACK, then nothing is solved, and you've opened > yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver > went offline as a result of a SYN flood, at least it wouldn't be part of > an amplification attack any longer...) > Thank you Michael!