From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 59C46138010 for ; Thu, 28 Mar 2013 19:38:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1874FE095F; Thu, 28 Mar 2013 19:38:33 +0000 (UTC) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B8349E084A for ; Thu, 28 Mar 2013 19:38:31 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id at1so8083095iec.41 for ; Thu, 28 Mar 2013 12:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=0DXHvgyBPO4SUQfit8FqT/kDZTf++mTA/zIm4qv6LEY=; b=Auv68megOC/AE4apvFPnUW6C86b21AhhxGa3gkG0VJs3Se5yMznfWK6Y3p6Is8M55B 0Brb+GjC4XNhPU7ujDe9JviqJaInetp62OGWLlWK+GpPx8+3BRmZbpK0STKwaWhFAWx6 NWcZkyOcIzNIpyL2OP/eXeylULuRw7gaWYi0pCDd/WMtA8+6MfM7XRxkRoXIVNi98nrH ZXBsF3ZHpleC2j2Yee7hub5A6eBsxh1RLzMeCslzCdvfBzB+Id/76AWi/huOwLzIV3bd ZGqrSYJZ6OLp88vIaPlkID+NcoXaPYKwrrhLZqJ+67UiCp/LHkkqB+qgfUhpvgTScq7l RVZg== X-Received: by 10.50.51.226 with SMTP id n2mr8392895igo.25.1364499510967; Thu, 28 Mar 2013 12:38:30 -0700 (PDT) Received: from ?IPv6:2001:5c0:1000:a::beb? ([2001:5c0:1000:a::beb]) by mx.google.com with ESMTPS id wx2sm13223283igb.4.2013.03.28.12.38.29 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Mar 2013 12:38:30 -0700 (PDT) Message-ID: <51549C2D.9080005@gmail.com> Date: Thu, 28 Mar 2013 15:38:21 -0400 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <515463E0.60607@gmail.com> <515496FD.70507@gmail.com> In-Reply-To: <515496FD.70507@gmail.com> X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2NSEGOLDKQCCOIWBMSIFA" X-Archives-Salt: 683d905f-9b49-4830-b86b-5b42b4ece153 X-Archives-Hash: 272c8beca0769a0c3fcb8d865ff6c5ff This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2NSEGOLDKQCCOIWBMSIFA Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable On 03/28/2013 03:16 PM, Alan McKinnon wrote: > On 28/03/2013 17:38, Michael Mol wrote: >> On 03/28/2013 04:51 AM, Norman Rie=DF wrote: >>> Hello, >>> >>> i am using pdns recursor to provide a dns server which should be usab= le >>> for everybody.The problem is, that the server seems to be used in dns= >>> amplification attacks. >>> I googled around on how to prevent this but did not really find >>> something usefull. >>> >>> Does anyone got an idea about this? >> >> I'm not sure it can be done. You can't make a resolver available to >> "everybody" without somebody in that "everybody" group abusing it, and= >> that's exacly what happens in a DNS amplification attack. >> >> Restrict your resolver to be accessible only to your network or, at >> most, those of the specific group of people you're seeking to help. >> >> You *might* try restricting the resolver to only respond to TCP reques= ts >> rather than UDP requests,=20 >=20 > NO NO NO NO NO >=20 > Under no circumstances ever do this. The service breaks horribly when > you do this and it has to work even remotely hard. Most likely your ISP= > will outright ban you for that if you use the ISP's caches. I knwo I do= , > and so does every other major ISP in this country. Er, what? When we're talking about a recursive resolver requiring clients connecting to it to use TCP, what does upstream care? He's talking about running his own open DNS server. >=20 > but if the resolver sends response data along >> with that first SYN+ACK, then nothing is solved, and you've opened >> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver >> went offline as a result of a SYN flood, at least it wouldn't be part = of >> an amplification attack any longer...) >=20 >=20 > Or just use the ISP's DNS caches. In the vast majority of cases, the IS= P > knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. ------enig2NSEGOLDKQCCOIWBMSIFA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRVJwzAAoJED5TcEBdxYwQhsUIAKvZ3ZlBP7N9JneVhZAJUBuQ eljRYtIoTGE2PZ4tfzBssVPrJQ8PHSw9CFP4nrKU70ZWVwMigKpvFakCaZcBwEUi 5btU8StHTzKY+edU2kAL5lTmIM1Np2mRfZIaQ4gh3AqiqbrcZrS3BWXr1h30jpdo pn/ZsXXGaK8+qS+7uKStJkXGg+G3J9iBbOinUdE+xtW4kGOzpXuy2CHUgelDg4dQ Dv8xNQTJ5LrsGUyBdFBRYpvnkKVdv9rAPGdN9Wz4fRS88UXi983ZXYfVhjHod327 o8kMofymzKlA6DbhVZvEmtzlgjR8KDNp+uti+4AfjT/T+703JK2TMIYTU3z2Rkc= =neCs -----END PGP SIGNATURE----- ------enig2NSEGOLDKQCCOIWBMSIFA--