Open DNS Resolver reflection attack Mitigation

Joe Maimon jmaimon at ttec.com
Fri Jun 8 19:48:48 UTC 2012



Stephane Bortzmeyer wrote:
> On Fri, Jun 08, 2012 at 03:09:04PM -0400,
>   Joe Maimon<jmaimon at ttec.com>  wrote
>   a message of 7 lines which said:
>
>> Is there any publicly available rate limiting for BIND?
>
> Not as far as I know. I'm not sure it would be a good idea. BIND is
> feature-rich enough.


I really hope you have a minority viewpoint on this one. I would really 
like to see it.


>
>> How about host-based IDS that can be used to trigger rtbh or iptables?
>
> What I do (I manage a small and experimental open resolver) is to use
> iptables this way (porting it to IPv6 is left as an exercice):
>
> iptables -A INPUT -p udp --dport 53 -m hashlimit \
>     --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
>     --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
>
> So, every prefix (length 28) can send 20 r/s with allowed bursts of
> 100. This requires a Netfilter>= 1.4 (recent options of module
> hashlimit).

Missing the amplification factor goodness google says they have, but 
I'll take it.

https://developers.google.com/speed/public-dns/docs/security

>
> Most iptables recipes that you find on the Web are not well suited to
> DNS. They use connection tracking, for instance, while, with the DNS,
> every request/response is a "connection".
>
> I have a more complete article on this setup but in french only
> <http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.

This sounds promising. I will give it a spin. Thank you!


>
>> Google and Level3 manage to run open resolvers, why cant I?
>
> You have less money :-)
>
>

With help like yours, I hope to compensate for that.

Joe





More information about the NANOG mailing list