Re: DDOS prevention - how to restrict queries to hint (root) zones?
In message 1233658532.12933.42.ca...@muccalla.uninsubria.it, MAtteo HCE Valsa
sna writes:
hi all,
We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
package), that do both recursive queries for internal clients (with
proper allow-recursion clause) and authoritative servers for the
institution's domain.
There are reports of DDOS attacks based on DNS requests for the root
zone with spoofed source IP address:
* the attacker sends a request for the root zone with spoofed source
address to a DNS server
* The intermediate victim (DNS server) sends the reply packet -
significatively larger than the request - to the ultimate victim (the
owner of the spoofed source IP address in the request packet).
* the ultimate victim connection is flooded
http://isc.sans.org/diary.html?storyid=5773
I verified that our servers reply when queried from a non-trusted source
address for the root zone. (and we must also notice that the
non-trusted source address argument is pretty pointless when dealing
with spoofed source addresses: if a query with a spoofed internal source
address could reach the server, the server would just DDOS an internal
machine. But we do discard inbound packets with internal source IP
addresses on the network border).
The first answer to this threat would be to disallow queries for the
root zone would for any client (the root zone is used only by the server
itself, right?).
* Do you think there is any reason NOT do do this?
* Do you know a simple way to do this?
the trivial solution of adding an allow-query clause to the root
zone definition is refused by the server, as hint type zones
cannot have an allow-query clause - see
https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
there is possibly a way to do this using views, but...
anything simpler?
options {
allow-query { recusrsive-clients; };
allow-recursion { recusrsive-clients; };
};
zone {
type (slave|master);
...
allow-query { any; };
};
Or upgrade to BIND 9.4 or later and use allow-query-cache,
BIND 9.3 is past end-of-life.
Mark
best regards and thanks for any answer
MAtteo Valsasna
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS prevention - how to restrict queries to hint (root) zones?
On Tue, 3 Feb 2009, Mark Andrews wrote:
In message 1233658532.12933.42.ca...@muccalla.uninsubria.it, MAtteo HCE Valsa
sna writes:
hi all,
We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
package), that do both recursive queries for internal clients (with
proper allow-recursion clause) and authoritative servers for the
institution's domain.
There are reports of DDOS attacks based on DNS requests for the root
zone with spoofed source IP address:
* the attacker sends a request for the root zone with spoofed source
address to a DNS server
* The intermediate victim (DNS server) sends the reply packet -
significatively larger than the request - to the ultimate victim (the
owner of the spoofed source IP address in the request packet).
* the ultimate victim connection is flooded
http://isc.sans.org/diary.html?storyid=5773
I verified that our servers reply when queried from a non-trusted source
address for the root zone. (and we must also notice that the
non-trusted source address argument is pretty pointless when dealing
with spoofed source addresses: if a query with a spoofed internal source
address could reach the server, the server would just DDOS an internal
machine. But we do discard inbound packets with internal source IP
addresses on the network border).
The first answer to this threat would be to disallow queries for the
root zone would for any client (the root zone is used only by the server
itself, right?).
* Do you think there is any reason NOT do do this?
* Do you know a simple way to do this?
the trivial solution of adding an allow-query clause to the root
zone definition is refused by the server, as hint type zones
cannot have an allow-query clause - see
https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
there is possibly a way to do this using views, but...
anything simpler?
options {
allow-query { recusrsive-clients; };
allow-recursion { recusrsive-clients; };
};
zone {
type (slave|master);
...
allow-query { any; };
};
Or upgrade to BIND 9.4 or later and use allow-query-cache,
BIND 9.3 is past end-of-life.
Mark
best regards and thanks for any answer
MAtteo Valsasna
Using allow-query to deny some queries still takes time and resources from
your server as it then sends a denied message back to the query source.
As the source is spoofed it then contributes in a small way to the DDoS
attack. I think it is better to just drop the queries on your firewall.
I found this entry for iptables on the list a while back and it works
well and drops around a thousand queries a day.
iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32
0220...@1216=10220...@2024=00220...@21=0x00020001
--
David Forrest
St. Louis, Missouri
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DDOS prevention - how to restrict queries to hint (root) zones?
hi all, We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's package), that do both recursive queries for internal clients (with proper allow-recursion clause) and authoritative servers for the institution's domain. There are reports of DDOS attacks based on DNS requests for the root zone with spoofed source IP address: * the attacker sends a request for the root zone with spoofed source address to a DNS server * The intermediate victim (DNS server) sends the reply packet - significatively larger than the request - to the ultimate victim (the owner of the spoofed source IP address in the request packet). * the ultimate victim connection is flooded http://isc.sans.org/diary.html?storyid=5773 I verified that our servers reply when queried from a non-trusted source address for the root zone. (and we must also notice that the non-trusted source address argument is pretty pointless when dealing with spoofed source addresses: if a query with a spoofed internal source address could reach the server, the server would just DDOS an internal machine. But we do discard inbound packets with internal source IP addresses on the network border). The first answer to this threat would be to disallow queries for the root zone would for any client (the root zone is used only by the server itself, right?). * Do you think there is any reason NOT do do this? * Do you know a simple way to do this? the trivial solution of adding an allow-query clause to the root zone definition is refused by the server, as hint type zones cannot have an allow-query clause - see https://lists.isc.org/pipermail/bind-users/2006-January/061077.html there is possibly a way to do this using views, but... anything simpler? best regards and thanks for any answer MAtteo Valsasna ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
