[gentoo-user] How to prevent a dns amplification attack

[gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Hello,

i am using pdns recursor to provide a dns server which should be usable
for everybody.The problem is, that the server seems to be used in dns
amplification attacks.
I googled around on how to prevent this but did not really find
something usefull.

Does anyone got an idea about this?

Regards,
Norman

Re: [gentoo-user] How to prevent a dns amplification attack

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 197 bytes --]

Typically you would just allow recursion from networks you trust. Why are
you making your server available to everyone?

Read this one?
https://developers.google.com/speed/public-dns/docs/security

[-- Attachment #2: Type: text/html, Size: 320 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 28.03.2013 10:07, schrieb Adam Carter:
> Why are you making your server available to everyone?
> 

For the lulz mostly.

Re: [gentoo-user] How to prevent a dns amplification attack

[Volker Armin Hemmann]

[-- Attachment #1: Type: text/plain, Size: 451 bytes --]

Turn off this unnecessary crap?
Am 28.03.2013 09:52 schrieb "Norman Rieß" <norman@smash-net.org>:

> Hello,
>
> i am using pdns recursor to provide a dns server which should be usable
> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
>
> Does anyone got an idea about this?
>
> Regards,
> Norman
>
>

[-- Attachment #2: Type: text/html, Size: 712 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick]

On Thu, 28 Mar 2013 16:12:04 +0100
Volker Armin Hemmann <volkerarmin@googlemail.com> wrote:

> > Hello,
> >
> > i am using pdns recursor to provide a dns server which should be
> > usable for everybody.The problem is, that the server seems to be
> > used in dns amplification attacks.
> > I googled around on how to prevent this but did not really find
> > something usefull.
> >
> > Does anyone got an idea about this?

I haven't looked into it but.

You could perhaps reduce the amplification by looking for trends that
maximise response sizes such as the 100x amp against spamhaus of late,
but you would be fighting against the wind and only buying time.

Rate limiting may work but bear in mind that so many servers could be
used that attacks maybe ongoing and you wouldn't notice, again you may
be able to make attackers need to be subtler or go to more effort like
for spam but you are not going to eradicate it.

Really you would need some sort of network of dns servers communicating
about who they are hurting as thankfully there is often a single
victim, but really it would be better if the IETF had listened to the
dangers and even now simply redesigned DNSSEC.

As for tcp I used to have all my OpenBSD clients resolvers using the tcp
option in resolv.conf but I haven't noticed another OS's resolver with
that option. There are decent protections against syn floods but I
assume you are wanting random clients to connect.

Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick]

> listened to the dangers and even now simply redesigned DNSSEC.

Or they could fudge it by making every request requiring padding larger
than the response. Bandwidth would increase astronomically but amp
attacks would have to find other avenues.

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

On 03/28/2013 04:57 PM, Kevin Chadwick wrote:
> 
>> listened to the dangers and even now simply redesigned DNSSEC.
> 
> Or they could fudge it by making every request requiring padding larger
> than the response. Bandwidth would increase astronomically but amp
> attacks would have to find other avenues.
> 

Infeasible; the requester cannot know the size of the response in
advance. If a packet comes in, and the response is larger than the
request, is it really an amp packet, did the client not know, or is the
server misconfigured and not limiting the response data as much as it could?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick]

On Thu, 28 Mar 2013 17:04:25 -0400
Michael Mol <mikemol@gmail.com> wrote:

> >   
> >> listened to the dangers and even now simply redesigned DNSSEC.  
> > 
> > Or they could fudge it by making every request requiring padding
> > larger than the response. Bandwidth would increase astronomically
> > but amp attacks would have to find other avenues.
> >   
> 
> Infeasible; the requester cannot know the size of the response in
> advance. If a packet comes in, and the response is larger than the
> request, is it really an amp packet, did the client not know, or is
> the server misconfigured and not limiting the response data as much
> as it could?

I'm certainly not saying it's a good idea, hence the 'fudge' and 'making
every request' which would mean non updateable clients or non updated
routers (90%) needing special treatment. I'm sure there are probably
other hurdles to it but it is certainly possible to make a request much
larger than any potential response similar to the anti-spam system
that makes creating a message take a lot of cpu and then only accepting
messages from those that do (hsomething I think, only works too if all
take part but would eliminate spam almost completely).

However thinking about it, considering the want for dns to provide
larger things like encryption keys, huge requests may be the best long
term solution for a DNSSEC which seemingly refuses out of pride to add
something like DNSCURVE to prevent spoofing. Similar to firewalls only
sending a single syn ack (less than or equalise)

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1109 bytes --]

On 03/28/2013 04:51 AM, Norman Rieß wrote:
> Hello,
> 
> i am using pdns recursor to provide a dns server which should be usable
> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
> 
> Does anyone got an idea about this?

I'm not sure it can be done. You can't make a resolver available to
"everybody" without somebody in that "everybody" group abusing it, and
that's exacly what happens in a DNS amplification attack.

Restrict your resolver to be accessible only to your network or, at
most, those of the specific group of people you're seeking to help.

You *might* try restricting the resolver to only respond to TCP requests
rather than UDP requests, but if the resolver sends response data along
with that first SYN+ACK, then nothing is solved, and you've opened
yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
went offline as a result of a SYN flood, at least it wouldn't be part of
an amplification attack any longer...)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1389 bytes --]

On Mar 28, 2013 10:38 PM, "Michael Mol" <mikemol@gmail.com> wrote:
>
> On 03/28/2013 04:51 AM, Norman Rieß wrote:
> > Hello,
> >
> > i am using pdns recursor to provide a dns server which should be usable
> > for everybody.The problem is, that the server seems to be used in dns
> > amplification attacks.
> > I googled around on how to prevent this but did not really find
> > something usefull.
> >
> > Does anyone got an idea about this?
>
> I'm not sure it can be done. You can't make a resolver available to
> "everybody" without somebody in that "everybody" group abusing it, and
> that's exacly what happens in a DNS amplification attack.
>
> Restrict your resolver to be accessible only to your network or, at
> most, those of the specific group of people you're seeking to help.
>
> You *might* try restricting the resolver to only respond to TCP requests
> rather than UDP requests, but if the resolver sends response data along
> with that first SYN+ACK, then nothing is solved, and you've opened
> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
> went offline as a result of a SYN flood, at least it wouldn't be part of
> an amplification attack any longer...)
>

Can't we rate limit UDP DNS request?

E.g., limit each source IP to, let's say, 1 UDP per second?

That should be doable easily using iptables.

Rgds,
--

[-- Attachment #2: Type: text/html, Size: 1748 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1742 bytes --]

On 03/28/2013 12:06 PM, Pandu Poluan wrote:
> 
> On Mar 28, 2013 10:38 PM, "Michael Mol" <mikemol@gmail.com
> <mailto:mikemol@gmail.com>> wrote:
>>
>> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>> > Hello,
>> >
>> > i am using pdns recursor to provide a dns server which should be usable
>> > for everybody.The problem is, that the server seems to be used in dns
>> > amplification attacks.
>> > I googled around on how to prevent this but did not really find
>> > something usefull.
>> >
>> > Does anyone got an idea about this?
>>
>> I'm not sure it can be done. You can't make a resolver available to
>> "everybody" without somebody in that "everybody" group abusing it, and
>> that's exacly what happens in a DNS amplification attack.
>>
>> Restrict your resolver to be accessible only to your network or, at
>> most, those of the specific group of people you're seeking to help.
>>
>> You *might* try restricting the resolver to only respond to TCP requests
>> rather than UDP requests, but if the resolver sends response data along
>> with that first SYN+ACK, then nothing is solved, and you've opened
>> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
>> went offline as a result of a SYN flood, at least it wouldn't be part of
>> an amplification attack any longer...)
>>
> 
> Can't we rate limit UDP DNS request?
> 
> E.g., limit each source IP to, let's say, 1 UDP per second?
> 
> That should be doable easily using iptables.

That makes the resolver highly unreliable for normal use. Many sites
trigger resource grabs from 10-15 different domains. If all but the
first request is dropped due to rate limiting, you're going to have a
very, very broken experience.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 28.03.2013 16:38, schrieb Michael Mol:
> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>> Hello,
>>
>> i am using pdns recursor to provide a dns server which should be usable
>> for everybody.The problem is, that the server seems to be used in dns
>> amplification attacks.
>> I googled around on how to prevent this but did not really find
>> something usefull.
>>
>> Does anyone got an idea about this?
> 
> I'm not sure it can be done. You can't make a resolver available to
> "everybody" without somebody in that "everybody" group abusing it, and
> that's exacly what happens in a DNS amplification attack.
> 
> Restrict your resolver to be accessible only to your network or, at
> most, those of the specific group of people you're seeking to help.
> 
> You *might* try restricting the resolver to only respond to TCP requests
> rather than UDP requests, but if the resolver sends response data along
> with that first SYN+ACK, then nothing is solved, and you've opened
> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
> went offline as a result of a SYN flood, at least it wouldn't be part of
> an amplification attack any longer...)
> 

Thank you Michael!

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 28/03/2013 17:38, Michael Mol wrote:
> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>> Hello,
>>
>> i am using pdns recursor to provide a dns server which should be usable
>> for everybody.The problem is, that the server seems to be used in dns
>> amplification attacks.
>> I googled around on how to prevent this but did not really find
>> something usefull.
>>
>> Does anyone got an idea about this?
> 
> I'm not sure it can be done. You can't make a resolver available to
> "everybody" without somebody in that "everybody" group abusing it, and
> that's exacly what happens in a DNS amplification attack.
> 
> Restrict your resolver to be accessible only to your network or, at
> most, those of the specific group of people you're seeking to help.
> 
> You *might* try restricting the resolver to only respond to TCP requests
> rather than UDP requests, 

NO NO NO NO NO

Under no circumstances ever do this. The service breaks horribly when
you do this and it has to work even remotely hard. Most likely your ISP
will outright ban you for that if you use the ISP's caches. I knwo I do,
and so does every other major ISP in this country.

but if the resolver sends response data along
> with that first SYN+ACK, then nothing is solved, and you've opened
> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
> went offline as a result of a SYN flood, at least it wouldn't be part of
> an amplification attack any longer...)


Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
knows how to do it right and the user does not.


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]

On 03/28/2013 03:16 PM, Alan McKinnon wrote:
> On 28/03/2013 17:38, Michael Mol wrote:
>> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>>> Hello,
>>>
>>> i am using pdns recursor to provide a dns server which should be usable
>>> for everybody.The problem is, that the server seems to be used in dns
>>> amplification attacks.
>>> I googled around on how to prevent this but did not really find
>>> something usefull.
>>>
>>> Does anyone got an idea about this?
>>
>> I'm not sure it can be done. You can't make a resolver available to
>> "everybody" without somebody in that "everybody" group abusing it, and
>> that's exacly what happens in a DNS amplification attack.
>>
>> Restrict your resolver to be accessible only to your network or, at
>> most, those of the specific group of people you're seeking to help.
>>
>> You *might* try restricting the resolver to only respond to TCP requests
>> rather than UDP requests, 
> 
> NO NO NO NO NO
> 
> Under no circumstances ever do this. The service breaks horribly when
> you do this and it has to work even remotely hard. Most likely your ISP
> will outright ban you for that if you use the ISP's caches. I knwo I do,
> and so does every other major ISP in this country.

Er, what? When we're talking about a recursive resolver requiring
clients connecting to it to use TCP, what does upstream care? He's
talking about running his own open DNS server.

> 
> but if the resolver sends response data along
>> with that first SYN+ACK, then nothing is solved, and you've opened
>> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
>> went offline as a result of a SYN flood, at least it wouldn't be part of
>> an amplification attack any longer...)
> 
> 
> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
> knows how to do it right and the user does not.

Generally true, though I've known people to choose not to use ISP caches
owing to the ISP's implementation of things like '*' records, ISPs
applying safety filters against some hostnames, and concerns about the
persistence of ISP request logs.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 28/03/2013 21:38, Michael Mol wrote:
> On 03/28/2013 03:16 PM, Alan McKinnon wrote:
>> On 28/03/2013 17:38, Michael Mol wrote:
>>> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>>>> Hello,
>>>>
>>>> i am using pdns recursor to provide a dns server which should be usable
>>>> for everybody.The problem is, that the server seems to be used in dns
>>>> amplification attacks.
>>>> I googled around on how to prevent this but did not really find
>>>> something usefull.
>>>>
>>>> Does anyone got an idea about this?
>>>
>>> I'm not sure it can be done. You can't make a resolver available to
>>> "everybody" without somebody in that "everybody" group abusing it, and
>>> that's exacly what happens in a DNS amplification attack.
>>>
>>> Restrict your resolver to be accessible only to your network or, at
>>> most, those of the specific group of people you're seeking to help.
>>>
>>> You *might* try restricting the resolver to only respond to TCP requests
>>> rather than UDP requests, 
>>
>> NO NO NO NO NO
>>
>> Under no circumstances ever do this. The service breaks horribly when
>> you do this and it has to work even remotely hard. Most likely your ISP
>> will outright ban you for that if you use the ISP's caches. I knwo I do,
>> and so does every other major ISP in this country.
> 
> Er, what? When we're talking about a recursive resolver requiring
> clients connecting to it to use TCP, what does upstream care? He's
> talking about running his own open DNS server.

Because the list is indexed and archived and Googled forever. Others may
get the idea that TCP-only DNS caches are a good idea in general. Have
you ever had to deal with the insanity caused when Windows Servers
insist on using TCP only, and YOU are the upstream?

I understand what the OP was suggesting, but he did not limit the
usefulness and scope of the suggestion, so I did.

> 
>>
>> but if the resolver sends response data along
>>> with that first SYN+ACK, then nothing is solved, and you've opened
>>> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
>>> went offline as a result of a SYN flood, at least it wouldn't be part of
>>> an amplification attack any longer...)
>>
>>
>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
>> knows how to do it right and the user does not.
> 
> Generally true, though I've known people to choose not to use ISP caches
> owing to the ISP's implementation of things like '*' records, ISPs
> applying safety filters against some hostnames, and concerns about the
> persistence of ISP request logs.

I get a few of those too every now and again. I know for sure in my case
their fears are unfounded, but can't prove it. Those few (and they are
few) can go ahead and deploy their own cache. I can't stop them, they
are free to do it, they are also free to ignore my advice of they choose.





-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] How to prevent a dns amplification attack

[Paul Hartman]

On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
>>> knows how to do it right and the user does not.
>>
>> Generally true, though I've known people to choose not to use ISP caches
>> owing to the ISP's implementation of things like '*' records, ISPs
>> applying safety filters against some hostnames, and concerns about the
>> persistence of ISP request logs.
>
> I get a few of those too every now and again. I know for sure in my case
> their fears are unfounded, but can't prove it. Those few (and they are
> few) can go ahead and deploy their own cache. I can't stop them, they
> are free to do it, they are also free to ignore my advice of they choose.

In my case, my ISP's DNS servers are slow (several seconds to reply),
fail randomly when they should resolve, return an IP (which goes to
their ad-laden "helper" website if you are using a web browser) when
they should instead return nxdomain, and they have openly admitted to
selling customer DNS lookup history to marketers for targeted
advertising.

Thanks for being one of the good guys. :)

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

On 03/28/2013 04:53 PM, Paul Hartman wrote:
> On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>>>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
>>>> knows how to do it right and the user does not.
>>>
>>> Generally true, though I've known people to choose not to use ISP caches
>>> owing to the ISP's implementation of things like '*' records, ISPs
>>> applying safety filters against some hostnames, and concerns about the
>>> persistence of ISP request logs.
>>
>> I get a few of those too every now and again. I know for sure in my case
>> their fears are unfounded, but can't prove it. Those few (and they are
>> few) can go ahead and deploy their own cache. I can't stop them, they
>> are free to do it, they are also free to ignore my advice of they choose.
> 
> In my case, my ISP's DNS servers are slow (several seconds to reply),
> fail randomly when they should resolve, return an IP (which goes to
> their ad-laden "helper" website if you are using a web browser) when
> they should instead return nxdomain, and they have openly admitted to
> selling customer DNS lookup history to marketers for targeted
> advertising.

Wow. That's...all the fail.

> 
> Thanks for being one of the good guys. :)
> 

Indeed.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Peter Humphrey]

[-- Attachment #1: Type: text/plain, Size: 488 bytes --]

On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:

> In my case, my ISP's DNS servers are slow (several seconds to reply),
> fail randomly when they should resolve, return an IP (which goes to
> their ad-laden "helper" website if you are using a web browser) when
> they should instead return nxdomain, and they have openly admitted to
> selling customer DNS lookup history to marketers for targeted
> advertising.

That is just evil. Have you no alternative to this ISP?

-- 
Peter

[-- Attachment #2: Type: text/html, Size: 2870 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 29.03.2013 01:49, schrieb Peter Humphrey:
> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
> 
>  
> 
>> In my case, my ISP's DNS servers are slow (several seconds to reply),
> 
>> fail randomly when they should resolve, return an IP (which goes to
> 
>> their ad-laden "helper" website if you are using a web browser) when
> 
>> they should instead return nxdomain, and they have openly admitted to
> 
>> selling customer DNS lookup history to marketers for targeted
> 
>> advertising.
> 
>  
> 
> That is just evil. Have you no alternative to this ISP?
> 
>  
> 
> -- 
> 
> Peter
> 
>  
> 

Like free and open DNS servers? ;-) Like the one i am talking about and
was told it was unnessesary crap?

Norman

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 29/03/2013 10:53, Norman Rieß wrote:
>> That is just evil. Have you no alternative to this ISP?
>> > 
>> >  
>> > 
>> > -- 
>> > 
>> > Peter
>> > 
>> >  
>> > 
> Like free and open DNS servers? ;-) Like the one i am talking about and
> was told it was unnessesary crap?


When you describe the service you DO get from your ISP, then we can see
that rolling your own is the proper alternative for you. Unless your ISP
block outbound port 53...

If you were in Africa, I could give you an alternative but sadly I don't
think you are in Africa

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

On 03/29/2013 09:27 AM, Alan McKinnon wrote:
> On 29/03/2013 10:53, Norman Rieß wrote:
>>> That is just evil. Have you no alternative to this ISP?
>>>>
>>>>  
>>>>
>>>> -- 
>>>>
>>>> Peter
>>>>
>>>>  
>>>>
>> Like free and open DNS servers? ;-) Like the one i am talking about and
>> was told it was unnessesary crap?
> 
> 
> When you describe the service you DO get from your ISP, then we can see
> that rolling your own is the proper alternative for you. Unless your ISP
> block outbound port 53...

It'd be trivial enough for someone in a saner spot to privately offer
him an allowed-clients entry in a DNS server listening on a non-standard
port.

Either way, it's still important he not allow just anybody to connect to
his resolver.

> 
> If you were in Africa, I could give you an alternative but sadly I don't
> think you are in Africa
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Paul Hartman]

On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
<peter@humphrey.ukfsn.org> wrote:
> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>
>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>> fail randomly when they should resolve, return an IP (which goes to
>> their ad-laden "helper" website if you are using a web browser) when
>> they should instead return nxdomain, and they have openly admitted to
>> selling customer DNS lookup history to marketers for targeted
>> advertising.
>
>
>
> That is just evil. Have you no alternative to this ISP?

Not really.

I have a 100 megabit connection through the cable company; my only
wired alternative is DSL (1.5 mbit for almost half the price I'm
paying for 100mbit). Cellular or satellite are not viable options for
me because of comparatively poor value, latency and miniscule data
usage caps.

In the USA, the local governments (cities and towns, etc.) are in
control of regulating which utilities can use public land, and are
entitled to compensation from those who use it. Cable companies
negotiate rental of that space called a "franchise fee" so they can
bury cables, etc.

The franchise fee used to be a government-protected monopoly. In the
1980's, when cable television started booming, regional pockets of
cable providers were built up thanks to these local monopolies
allowing them to move into towns with no competition. For the sake of
efficiency, cable companies would build out in adjacent towns and kept
spreading and growing outward until at some point nearly everyone in
the country had cable TV services available to them, with the
exception of those living in rural areas which were not dense enough
to justify the cost of laying cables, even when presented with a
monopoly.

It is no longer legal for local governments to award monopolies, but
the damage has been done. What we have is essentially the cable TV
infrastructure that was laid out during the decade when local cable
monopolies were legal, and the cost of entry for a new player into the
market now is so high that nobody ever bothers. End result for
consumers is a lack of choice. There are some places where competition
exists, but those places are pretty rare, in my experience.

There are some other possible alternatives to cable internet and DSL,
such as municipal wifi, mesh networks, powerline and FTTx, but none
are available where I live.

The service I receive from the cable company here is actually
excellent, with the exception of the aforementioned DNS woes.

Pretty much every major ISP in the US does DNS-hijacking and other
shenanigans, so there's no avoiding the evilness. I believe the board
members of major cable and telecom companies would sell their own
mothers into slavery if it meant a rise in share prices or a larger
bonus at the end of the year...

Re: [gentoo-user] How to prevent a dns amplification attack

[William Kenworthy]

On 30/03/13 06:34, Paul Hartman wrote:
> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
> <peter@humphrey.ukfsn.org> wrote:
>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>>
>>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>>> fail randomly when they should resolve, return an IP (which goes to
>>> their ad-laden "helper" website if you are using a web browser) when
>>> they should instead return nxdomain, and they have openly admitted to
>>> selling customer DNS lookup history to marketers for targeted
>>> advertising.
>>
>>
>>
>> That is just evil. Have you no alternative to this ISP?
> 
> Not really.
> 
> I have a 100 megabit connection through the cable company; my only
> wired alternative is DSL (1.5 mbit for almost half the price I'm
> paying for 100mbit). Cellular or satellite are not viable options for
> me because of comparatively poor value, latency and miniscule data
> usage caps.
> 

Can you do a tunnel to a cheap vsp instance that can access an external
dns, and feed all your dns queries through it?  Considering the problems
with your existing setup, that looks attractive and you can have sane
fallbacks if neccessary.

I tried this to avoid the "Australia Tax" when online shopping overseas
and the small additional latency didnt seem to be a problem.

BillK

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]

On 03/29/2013 07:01 PM, William Kenworthy wrote:
> On 30/03/13 06:34, Paul Hartman wrote:
>> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
>> <peter@humphrey.ukfsn.org> wrote:
>>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>>>
>>>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>>>> fail randomly when they should resolve, return an IP (which goes to
>>>> their ad-laden "helper" website if you are using a web browser) when
>>>> they should instead return nxdomain, and they have openly admitted to
>>>> selling customer DNS lookup history to marketers for targeted
>>>> advertising.
>>>
>>>
>>>
>>> That is just evil. Have you no alternative to this ISP?
>>
>> Not really.
>>
>> I have a 100 megabit connection through the cable company; my only
>> wired alternative is DSL (1.5 mbit for almost half the price I'm
>> paying for 100mbit). Cellular or satellite are not viable options for
>> me because of comparatively poor value, latency and miniscule data
>> usage caps.
>>
> 
> Can you do a tunnel to a cheap vsp instance that can access an external
> dns, and feed all your dns queries through it?  Considering the problems
> with your existing setup, that looks attractive and you can have sane
> fallbacks if neccessary.
> 
> I tried this to avoid the "Australia Tax" when online shopping overseas
> and the small additional latency didnt seem to be a problem.

Doesn't even need to be that complicated.

Set up a free tunnel with tunnelbroker.net, and use Hurricane Electric's
provided IPv6 DNS servers. They run the tunnel service as a loss-leader,
and if they're doing anything funky with their DNS data, I haven't heard
about it.

Chances are, the local ISP won't be filtering traffic flowing across a
proto41 tunnel. (IPv6 packet as an IPv4 packet payload. It's called a
proto41 tunnel because 41 is placed in the "next protocol" field in the
IPv4 packet.)



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Walter Dnes]

On Fri, Mar 29, 2013 at 05:34:41PM -0500, Paul Hartman wrote
> 
> Pretty much every major ISP in the US does DNS-hijacking and other
> shenanigans, so there's no avoiding the evilness.

  The obvious questions is... do they hijack all port-53 queries?
Depending on the answer, there are 2 different strategies to follow.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

[-- Attachment #1: Type: text/plain, Size: 4194 bytes --]


Am 29.03.2013 um 23:34 schrieb Paul Hartman <paul.hartman+gentoo@gmail.com>:

> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
> <peter@humphrey.ukfsn.org> wrote:
>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>> 
>>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>>> fail randomly when they should resolve, return an IP (which goes to
>>> their ad-laden "helper" website if you are using a web browser) when
>>> they should instead return nxdomain, and they have openly admitted to
>>> selling customer DNS lookup history to marketers for targeted
>>> advertising.
>> 
>> 
>> 
>> That is just evil. Have you no alternative to this ISP?
> 
> Not really.
> 
> I have a 100 megabit connection through the cable company; my only
> wired alternative is DSL (1.5 mbit for almost half the price I'm
> paying for 100mbit). Cellular or satellite are not viable options for
> me because of comparatively poor value, latency and miniscule data
> usage caps.

> […]
> 
> It is no longer legal for local governments to award monopolies, but
> the damage has been done. What we have is essentially the cable TV
> infrastructure that was laid out during the decade when local cable
> monopolies were legal, and the cost of entry for a new player into the
> market now is so high that nobody ever bothers. End result for
> consumers is a lack of choice. There are some places where competition
> exists, but those places are pretty rare, in my experience.
> 
> There are some other possible alternatives to cable internet and DSL,
> such as municipal wifi, mesh networks, powerline and FTTx, but none
> are available where I live.
> 
> The service I receive from the cable company here is actually
> excellent, with the exception of the aforementioned DNS woes.
> 
> Pretty much every major ISP in the US does DNS-hijacking and other
> shenanigans, so there's no avoiding the evilness. I believe the board
> members of major cable and telecom companies would sell their own
> mothers into slavery if it meant a rise in share prices or a larger
> bonus at the end of the year...
> 

That is pretty much the same as what happened in Germany. The telephone network was build by the german postal service in the past and was run by the government. As we all know everything works better and cheaper when things are privatized, so the Deutsche Telekom was created and with it a semi monopoly over night.
Regions not dense enough are not part of the developing plans of any of the companies. So if you are lucky like me, you are stuck with 16mbit DSL provided by one company rented by an other company. If people start to build their own network or a competitor reaches for a specific underdeveloped region, this region gets an upgrade like to DSL 3 Mbit or something like that, so the competitors draw of.
If you are really lucky you live in a region which is really dense or a cable company provides you with internet, so you get 100mbit. But this is only a fraction of all people.
If the government is confronted with this they say, the market will regulate that, which it does not. And if voices get too loud, the tell the companies to develop the underdeveloped regions, they shake hands on TV and nothing happens.
And as Paul said, most ISP do DNS-hijacking and the like, which breaks things in incredible unexpected ways.

So when i wrote this post to the mailing list and got answers like "unnecessary crap" and "why make it available for everyone" i thougt, this to be answers of some weirdos which should be ignored.
Here you do not trust your ISP… you use the ISP which sucks less or the only one that gives you any internet at all.
If you reach a certain level of knowledge, you change your DNS settings to free DNS servers and if you run a resolver you do it for the other poor souls as well.
There are lists of unfiltered DNS Servers (http://www.ungefiltert-surfen.de/nameserver/de.html), which are checked regularly if they provide unfiltered answers an the like.
And there are howtos for the average user on how to change the dns settings and to avoid your isp´s dns servers.

Regards
Norman




[-- Attachment #2: Type: text/html, Size: 4943 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Rene Rasmussen]

On Sat, 30 Mar 2013 13:06:16 +0100
Norman Rieß <norman@smash-net.org> wrote:

> 
> Am 29.03.2013 um 23:34 schrieb Paul Hartman
> <paul.hartman+gentoo@gmail.com>:
> 
> > On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
> > <peter@humphrey.ukfsn.org> wrote:
> >> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
> >> 
> >>> In my case, my ISP's DNS servers are slow (several seconds to
> >>> reply), fail randomly when they should resolve, return an IP
> >>> (which goes to their ad-laden "helper" website if you are using a
> >>> web browser) when they should instead return nxdomain, and they
> >>> have openly admitted to selling customer DNS lookup history to
> >>> marketers for targeted advertising.
> >> 
> >> 
> >> 
> >> That is just evil. Have you no alternative to this ISP?
> > 
> > Not really.
> > 
> > I have a 100 megabit connection through the cable company; my only
> > wired alternative is DSL (1.5 mbit for almost half the price I'm
> > paying for 100mbit). Cellular or satellite are not viable options
> > for me because of comparatively poor value, latency and miniscule
> > data usage caps.
> 
> > […]
> > 
> > It is no longer legal for local governments to award monopolies, but
> > the damage has been done. What we have is essentially the cable TV
> > infrastructure that was laid out during the decade when local cable
> > monopolies were legal, and the cost of entry for a new player into
> > the market now is so high that nobody ever bothers. End result for
> > consumers is a lack of choice. There are some places where
> > competition exists, but those places are pretty rare, in my
> > experience.
> > 
> > There are some other possible alternatives to cable internet and
> > DSL, such as municipal wifi, mesh networks, powerline and FTTx, but
> > none are available where I live.
> > 
> > The service I receive from the cable company here is actually
> > excellent, with the exception of the aforementioned DNS woes.
> > 
> > Pretty much every major ISP in the US does DNS-hijacking and other
> > shenanigans, so there's no avoiding the evilness. I believe the
> > board members of major cable and telecom companies would sell their
> > own mothers into slavery if it meant a rise in share prices or a
> > larger bonus at the end of the year...
> > 
> 
> That is pretty much the same as what happened in Germany. The
> telephone network was build by the german postal service in the past
> and was run by the government. As we all know everything works better
> and cheaper when things are privatized, so the Deutsche Telekom was
> created and with it a semi monopoly over night. Regions not dense
> enough are not part of the developing plans of any of the companies.
> So if you are lucky like me, you are stuck with 16mbit DSL provided
> by one company rented by an other company. If people start to build
> their own network or a competitor reaches for a specific
> underdeveloped region, this region gets an upgrade like to DSL 3 Mbit
> or something like that, so the competitors draw of. If you are really
> lucky you live in a region which is really dense or a cable company
> provides you with internet, so you get 100mbit. But this is only a
> fraction of all people. If the government is confronted with this
> they say, the market will regulate that, which it does not. And if
> voices get too loud, the tell the companies to develop the
> underdeveloped regions, they shake hands on TV and nothing happens.
> And as Paul said, most ISP do DNS-hijacking and the like, which
> breaks things in incredible unexpected ways.
> 
> So when i wrote this post to the mailing list and got answers like
> "unnecessary crap" and "why make it available for everyone" i thougt,
> this to be answers of some weirdos which should be ignored. Here you
> do not trust your ISP… you use the ISP which sucks less or the only
> one that gives you any internet at all. If you reach a certain level
> of knowledge, you change your DNS settings to free DNS servers and if
> you run a resolver you do it for the other poor souls as well. There
> are lists of unfiltered DNS Servers
> (http://www.ungefiltert-surfen.de/nameserver/de.html), which are
> checked regularly if they provide unfiltered answers an the like. And
> there are howtos for the average user on how to change the dns
> settings and to avoid your isp´s dns servers.
> 
> Regards
> Norman
> 
There is also the possibility to use opendns.com
I've been using them for years, and have not had any trouble. I started
using them when my ISP decided to block some sites. And their standard
service is free :)

Best regards,
Rene

Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick]

On Sat, 30 Mar 2013 15:53:29 +0100
Rene Rasmussen <gentoo@paranoidix.dk> wrote:

> There is also the possibility to use opendns.com
> I've been using them for years, and have not had any trouble. I
> started using them when my ISP decided to block some sites. And their
> standard service is free :)

They also support dnscurve but I thought that in the case of non
existing domain lookups they do show adverts? I don't see just that as
a huge problem as long as they are not targetted though?

Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack

[Tanstaafl]

On 2013-03-30 11:15 AM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
> On Sat, 30 Mar 2013 15:53:29 +0100
> Rene Rasmussen <gentoo@paranoidix.dk> wrote:
>
>> There is also the possibility to use opendns.com
>> I've been using them for years, and have not had any trouble. I
>> started using them when my ISP decided to block some sites. And their
>> standard service is free :)

> They also support dnscurve but I thought that in the case of non
> existing domain lookups they do show adverts?

This can be disabled...

The biggest problem with using them (or google dns) is if you are 
running a mail server, you cannot use spamhaus or many other DNSBLs, 
because they don't work with these free DNS services:

http://www.spamhaus.org/faq/section/DNSBL%20Usage#261

Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack

[Kevin Chadwick]

On Sat, 30 Mar 2013 13:06:16 +0100
Norman Rieß <norman@smash-net.org> wrote:

>  As we all know everything works better and cheaper when things are
> privatized

Actually No it's not so simple at all.

You get incompetence in private and public and you may be more likely
to get away with it for longer in a public service than in a market with
competition but there are many examples where things simply get worse.

In the UK, water companies were privatisied and fat cats made lots of
money letting the pipes deteriorate for future generations.

British Telecom, well that's a mixed bag but it is certainly a
tiny shadow of it's original self.

We know ideals and theory hardly ever work but theoretically public
should be much better when well managed.

I wonder if ISPS wouldn't be handling things like TalkTalks
Homesafe in such a stupid manner (across the board is where it is
stupid, even for non users of the service) where they redirect all the
http traffic through an undoubtedly insecure layer 7 handling huawei
device with less commercial pressures or analysing bandwidth at layer
7 when they should be doing so more safely and completely at layers 3
and 4 leading me to believe they are not just thinking about bandwidth
usage. Why does it matter if you download 1000Gb via torrents or http.
ACKs can be managed in any case.

I'm glad open source is beginning to make strides into public services
as it should help put an end to expensive interoperability issues (if
we stay away from non posix things like systemd, though even then
shouldn't be too bad ;-)).

Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 30.03.2013 16:11, schrieb Kevin Chadwick:
> On Sat, 30 Mar 2013 13:06:16 +0100
> Norman Rieß <norman@smash-net.org> wrote:
> 
>>  As we all know everything works better and cheaper when things are
>> privatized
> 
> Actually No it's not so simple at all.
> 
> You get incompetence in private and public and you may be more likely
> to get away with it for longer in a public service than in a market with
> competition but there are many examples where things simply get worse.
> 
> In the UK, water companies were privatisied and fat cats made lots of
> money letting the pipes deteriorate for future generations.
> 
> British Telecom, well that's a mixed bag but it is certainly a
> tiny shadow of it's original self.
> 
> We know ideals and theory hardly ever work but theoretically public
> should be much better when well managed.
> 
> I wonder if ISPS wouldn't be handling things like TalkTalks
> Homesafe in such a stupid manner (across the board is where it is
> stupid, even for non users of the service) where they redirect all the
> http traffic through an undoubtedly insecure layer 7 handling huawei
> device with less commercial pressures or analysing bandwidth at layer
> 7 when they should be doing so more safely and completely at layers 3
> and 4 leading me to believe they are not just thinking about bandwidth
> usage. Why does it matter if you download 1000Gb via torrents or http.
> ACKs can be managed in any case.
> 
> I'm glad open source is beginning to make strides into public services
> as it should help put an end to expensive interoperability issues (if
> we stay away from non posix things like systemd, though even then
> shouldn't be too bad ;-)).
> 

I think, you did not spot the sarcasm in what i said :-).

[gentoo-user] Re: [seriously O/T] How to prevent a dns amplification attack

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 4013 bytes --]

On Saturday 30 Mar 2013 15:11:17 Kevin Chadwick wrote:
> On Sat, 30 Mar 2013 13:06:16 +0100
> 
> Norman Rieß <norman@smash-net.org> wrote:
> >  As we all know everything works better and cheaper when things are
> > 
> > privatized
> 
> Actually No it's not so simple at all.
> 
> You get incompetence in private and public and you may be more likely
> to get away with it for longer in a public service than in a market with
> competition but there are many examples where things simply get worse.
> 
> In the UK, water companies were privatisied and fat cats made lots of
> money letting the pipes deteriorate for future generations.
> 
> British Telecom, well that's a mixed bag but it is certainly a
> tiny shadow of it's original self.
> 
> We know ideals and theory hardly ever work but theoretically public
> should be much better when well managed.

Well, as you said, "... it's not so simple at all."  ;-)

Errors, incompetence, inefficiencies due to organisational friction and poor 
structures, plus perverse incentives exist in all organisations.  They feed on 
human traits and do not depend simply on the public, or private type of 
ownership, despite what political propaganda based on the prevailing Neo-
liberal economic dogma would have you believe.

In the UK, in particular, we have had railways, water, gas and energy all 
privatised and costs increased 3 to 4 times as a minimum, while performance in 
many cases decreased dramatically.  Failed privatisations and re-
nationalisation en mass of railways is an example where fat subsidies to the 
private sector did not produce the improvements in performance or cost 
efficiencies promised at the beginning.  The UK government is now pushing with 
the privatisation of the Health Service, despite the majority of studies 
showing that a public ownership model is a more cost effective model.  British 
Telecom was actually a mixed bag, i.e. there are areas of improvement, 
especially where technological innovation could be easily taken advantage of 
(read low business risk).

Economic theory speaks of 'natural monopolies' where high risk and very long 
term investments with relatively low returns, make public ownership more 
suitable.  Typically these kind of industries are better and cheaper managed 
under public ownership;  i.e. goals of ownership and those of customers/users 
are better aligned. However, markets with smaller scope and and shorter life 
span, is where private sector ownership and competition thrives and excels.


> I wonder if ISPS wouldn't be handling things like TalkTalks
> Homesafe in such a stupid manner (across the board is where it is
> stupid, even for non users of the service) where they redirect all the
> http traffic through an undoubtedly insecure layer 7 handling huawei
> device with less commercial pressures or analysing bandwidth at layer
> 7 when they should be doing so more safely and completely at layers 3
> and 4 leading me to believe they are not just thinking about bandwidth
> usage. Why does it matter if you download 1000Gb via torrents or http.
> ACKs can be managed in any case.
> 
> I'm glad open source is beginning to make strides into public services
> as it should help put an end to expensive interoperability issues (if
> we stay away from non posix things like systemd, though even then
> shouldn't be too bad ;-)).

Talk-Talk is not the only UK ISP who undertakes deep-packet inspection, and 
filtering of DNS.  There was a debacle only a couple of years ago when 
TalkTalk (along with Virgin, PlusNet, and Sky I think) gave their users' 
details to some lawyer who in turn blackmailed them with a law suit against 
their alleged p2p activity.  Some users paid him, but most told him where to 
go and stick his head!  I think his email account and company PC was also 
hacked and a lot of information leaked.  He ended up in court for failing to 
protect private data!  :D
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 28/03/2013 22:53, Paul Hartman wrote:
> On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>>>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
>>>> knows how to do it right and the user does not.
>>>
>>> Generally true, though I've known people to choose not to use ISP caches
>>> owing to the ISP's implementation of things like '*' records, ISPs
>>> applying safety filters against some hostnames, and concerns about the
>>> persistence of ISP request logs.
>>
>> I get a few of those too every now and again. I know for sure in my case
>> their fears are unfounded, but can't prove it. Those few (and they are
>> few) can go ahead and deploy their own cache. I can't stop them, they
>> are free to do it, they are also free to ignore my advice of they choose.
> 
> In my case, my ISP's DNS servers are slow (several seconds to reply),
> fail randomly when they should resolve, return an IP (which goes to
> their ad-laden "helper" website if you are using a web browser) when
> they should instead return nxdomain, and they have openly admitted to
> selling customer DNS lookup history to marketers for targeted
> advertising.

I'm part of Infra. If we sold you service like that, you wouldn't have
to complain, the CTO would be round at my desk in a flash  with his new
career path plan for me.

You know the plan, it's the cookie-cutter one that mentions "burgers"
and "flipping" many times

:-)


> 
> Thanks for being one of the good guys. :)
> 


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] How to prevent a dns amplification attack

[Jarry]

On 28-Mar-13 9:51, Norman Rieß wrote:
> Hello,
>
> i am using pdns recursor to provide a dns server which should be usable
> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
>
> Does anyone got an idea about this?

Try to set-up connection rate limiting using iptables...

Jarry
-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] How to prevent a dns amplification attack

[Paul Ezvan]

Le 28/03/2013 17:53, Jarry a écrit :
> On 28-Mar-13 9:51, Norman Rieß wrote:
>> Hello,
>>
>> i am using pdns recursor to provide a dns server which should be usable
>> for everybody.The problem is, that the server seems to be used in dns
>> amplification attacks.
>> I googled around on how to prevent this but did not really find
>> something usefull.
>>
>> Does anyone got an idea about this?
>
> Try to set-up connection rate limiting using iptables...
>
> Jarry
Hi,

a good example, in French but the commands will be sufficient : 
http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html

Paul

Re: [gentoo-user] How to prevent a dns amplification attack

[Paul Hartman]

On Thu, Mar 28, 2013 at 3:51 AM, Norman Rieß <norman@smash-net.org> wrote:
> Hello,
>
> i am using pdns recursor to provide a dns server which should be usable
> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
>
> Does anyone got an idea about this?

Coincidentally, yesterday US-CERT published a small article about DNS
amplification attacks and mitigation strategies:

http://www.us-cert.gov/ncas/alerts/TA13-088A

Re: [gentoo-user] How to prevent a dns amplification attack

[Jarry]

On 31-Mar-13 4:08, Paul Hartman wrote:

> Coincidentally, yesterday US-CERT published a small article about DNS
> amplification attacks and mitigation strategies:
>
> http://www.us-cert.gov/ncas/alerts/TA13-088A

Thanks for interesting link. I did not know bind has support
for response rate-limiting...

Jarry
-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 31.03.2013 04:08, schrieb Paul Hartman:
> On Thu, Mar 28, 2013 at 3:51 AM, Norman Rieß <norman@smash-net.org> wrote:
>> Hello,
>>
>> i am using pdns recursor to provide a dns server which should be usable
>> for everybody.The problem is, that the server seems to be used in dns
>> amplification attacks.
>> I googled around on how to prevent this but did not really find
>> something usefull.
>>
>> Does anyone got an idea about this?
> 
> Coincidentally, yesterday US-CERT published a small article about DNS
> amplification attacks and mitigation strategies:
> 
> http://www.us-cert.gov/ncas/alerts/TA13-088A
> 

Thanks a lot!