GitHub user rhtyd opened a pull request:
https://github.com/apache/cloudstack/pull/1663
CLOUDSTACK-6432: Prevent DNS reflection attacks
At least in SG zones DNS on the VR is publicly accessible and as such
susceptible to DNS amplification/reflection attacks. This fixes it as per
https://issues.apache.org/jira/browse/CLOUDSTACK-6432 to only allow IPs
from the guest cidr to send DNS requests on port 53.
Due to repository commit issues I've created this PR, based on #1653 .
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shapeblue/cloudstack 4.9-dnsreflection-attack
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1663.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1663
----
commit 5adacc9b6f1b7b9ae53d35aa78fc8f7cd0d2273e
Author: NuxRo <[email protected]>
Date: 2016-08-22T09:31:41Z
CLOUDSTACK-6432: Prevent DNS reflection attacks
At least in SG zones DNS on the VR is publicly accessible and as such
susceptible to DNS amplification/reflection attacks. This fixes it as per
https://issues.apache.org/jira/browse/CLOUDSTACK-6432 to only allow IPs
from the guest cidr to send DNS requests on port 53.
Signed-off-by: Rohit Yadav <[email protected]>
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
