In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: > On Dec 3, 6:26 pm, Mark Andrews <[EMAIL PROTECTED]> wrote: > > If it is a forged packet it should be dropped regardless of the setting > > of RD. > > True, however not something that's easily determined from a distance. > > Ideally ingress filtering would render this a non-issue, however > there obviously holes in the current filtering done by ISPs. > > > If the only reason to think the packet is forged is the setting > > of RD=1 then the OP has committed a reasoning error. > > The situation that we've encountered on a couple of occasions > is a steady stream (several a second) of the exact same query > with the same source address for several days. When we contact > the owner of the source address, they state they're under DDoS > attack and are not the source of the request. Part of the attack > they experience is the Refused response from our DNS server.
And you are also under attack so dropping in *that* case is acceptable. You have identified that dropping recursive queries from *that* source will cause no harm. You configuration has already mitigated a large proportion of the damage by not amplifying the traffic. Dropping rd=1 packets won't stop reflector attacks. If you are running a authoritative server you are a potential reflector and there is nothing you can do to prevent it being abused. > > Also rd being set my just be the result of someone testing with > > a tool which sets rd by default. > > In which case they can change the setting. And how are they to realise that without a reply? I'm getting no response so maybe I need to disable recursion is not part of the standard diagnotic steps. Read the list and see how many times we tell people to disable recursion when testing a delegation and that with replies. > Which is worst ... occasionally dropping a request from someone > using a misconfigured tool / server, or participating in a larger > DDoS attack? > > Granted that dropping external requests with RD=1 doesn't > eliminate the potiental for DDoS attacks, it just changes it. > > > One needs to be really, really careful here. > > Understood ... and I realize that things shouldn't be oversimplified > (i.e. by assuming RD=1 must mean an evil request). Part of the > purpose for this post is to start a discussion on the pros / cons. That discussion has been done to death elsewhere. > -- John > [EMAIL PROTECTED] > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users