subject:"Bug#698641\: Please apply the rate limiting patches"

Bug#698641: Please apply the rate limiting patches

2013-01-21 Thread LaMont Jones

On Mon, Jan 21, 2013 at 06:08:58PM +0100, Peter Palfrader wrote:
> With the grown deployment of DNSSEC and more information being put into
> the domain name system, DNS servers have become and are becoming a
> useful tool for denial of service attacks by providing amplification:
> a single UDP packet of only a few bytes causes a response many times the
> size of the query.
> 
> Debian admin has deployed the patch at [2] to the bind running the
> debian.org nameservers - else debian.org's nameservers would not have
> any resources left to answer legitimate queries.
> 
> We think it important that the bind version Debian ships be actually
> useable by the internet community in general, and ourselves in
> particular.  Therefore we ask you (and the release folks) to consider
> shipping wheezy's bind with the rate limiting patches applied.

Agreed.  I've added the patch to 9.9.2-P1 (which I will upload to
experimental later today.)  I have also started the discussion with the
release team about getting this into 9.8.4-P1 with bug 698658.

lamont


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#698641: Please apply the rate limiting patches

2013-01-21 Thread Peter Palfrader

Package: bind9
Severity: important

With the grown deployment of DNSSEC and more information being put into
the domain name system, DNS servers have become and are becoming a
useful tool for denial of service attacks by providing amplification:
a single UDP packet of only a few bytes causes a response many times the
size of the query.

An adversary can use this effect to either cause a huge amount of
traffic to flow towards their target site (by faking the source address
of requests), or to cause a nameserver to effectively DoS itself by
filling up its outbound pipe with only a couple thousand requests per
second, costing very little in bandwidth for the adversary.

Vernon Schryver, Paul Vixie, et al have been working on bringing
(response) rate limiting to nameservers.  Such a feature enables the
admin of an authoritative nameserver to limit responses in the face of
their server being abused.

The particular patchset for bind, linked from [1], is able to enforce
limits per requested name/type/source address tuple, and can fallback to
sending clients a tiny retry-using-TCP packet.  The intent is to make
the server useless as an amplifier while not breaking resolving for
anyone.

Debian admin has deployed the patch at [2] to the bind running the
debian.org nameservers - else debian.org's nameservers would not have
any resources left to answer legitimate queries.

We think it important that the bind version Debian ships be actually
useable by the internet community in general, and ourselves in
particular.  Therefore we ask you (and the release folks) to consider
shipping wheezy's bind with the rate limiting patches applied.

Thanks for your consideration,
weasel

1. http://www.redbarn.org/dns/ratelimits
2. http://ss.vix.su/~vjs/rpz2+rl-9.8.4-P1.patch
-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#698641: Please apply the rate limiting patches

Bug#698641: Please apply the rate limiting patches

2 matches

Site Navigation

Mail list logo

Footer information