Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon <alan.mckinnon@gmail.com>]

On 28/03/2013 21:38, Michael Mol wrote:
> On 03/28/2013 03:16 PM, Alan McKinnon wrote:
>> On 28/03/2013 17:38, Michael Mol wrote:
>>> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>>>> Hello,
>>>>
>>>> i am using pdns recursor to provide a dns server which should be usable
>>>> for everybody.The problem is, that the server seems to be used in dns
>>>> amplification attacks.
>>>> I googled around on how to prevent this but did not really find
>>>> something usefull.
>>>>
>>>> Does anyone got an idea about this?
>>>
>>> I'm not sure it can be done. You can't make a resolver available to
>>> "everybody" without somebody in that "everybody" group abusing it, and
>>> that's exacly what happens in a DNS amplification attack.
>>>
>>> Restrict your resolver to be accessible only to your network or, at
>>> most, those of the specific group of people you're seeking to help.
>>>
>>> You *might* try restricting the resolver to only respond to TCP requests
>>> rather than UDP requests, 
>>
>> NO NO NO NO NO
>>
>> Under no circumstances ever do this. The service breaks horribly when
>> you do this and it has to work even remotely hard. Most likely your ISP
>> will outright ban you for that if you use the ISP's caches. I knwo I do,
>> and so does every other major ISP in this country.
> 
> Er, what? When we're talking about a recursive resolver requiring
> clients connecting to it to use TCP, what does upstream care? He's
> talking about running his own open DNS server.

Because the list is indexed and archived and Googled forever. Others may
get the idea that TCP-only DNS caches are a good idea in general. Have
you ever had to deal with the insanity caused when Windows Servers
insist on using TCP only, and YOU are the upstream?

I understand what the OP was suggesting, but he did not limit the
usefulness and scope of the suggestion, so I did.

> 
>>
>> but if the resolver sends response data along
>>> with that first SYN+ACK, then nothing is solved, and you've opened
>>> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
>>> went offline as a result of a SYN flood, at least it wouldn't be part of
>>> an amplification attack any longer...)
>>
>>
>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
>> knows how to do it right and the user does not.
> 
> Generally true, though I've known people to choose not to use ISP caches
> owing to the ISP's implementation of things like '*' records, ISPs
> applying safety filters against some hostnames, and concerns about the
> persistence of ISP request logs.

I get a few of those too every now and again. I know for sure in my case
their fears are unfounded, but can't prove it. Those few (and they are
few) can go ahead and deploy their own cache. I can't stop them, they
are free to do it, they are also free to ignore my advice of they choose.





-- 
Alan McKinnon
alan.mckinnon@gmail.com