On Tue, 3 Feb 2009, Mark Andrews wrote:
In message <1233658532.12933.42.ca...@muccalla.uninsubria.it>, MAtteo HCE Valsa
sna writes:
hi all,
We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
package), that do both recursive queries for internal clients (with
proper allow-recursion clause) and authoritative servers for the
institution's domain.
There are reports of DDOS attacks based on DNS requests for the root
zone with spoofed source IP address:
* the attacker sends a request for the root zone with spoofed source
address to a DNS server
* The intermediate victim (DNS server) sends the reply packet -
significatively larger than the request - to the ultimate victim (the
owner of the spoofed source IP address in the request packet).
* the ultimate victim connection is flooded
http://isc.sans.org/diary.html?storyid=5773
I verified that our servers reply when queried from a non-trusted source
address for the root zone. (and we must also notice that the
"non-trusted source address" argument is pretty pointless when dealing
with spoofed source addresses: if a query with a spoofed internal source
address could reach the server, the server would just DDOS an internal
machine. But we do discard inbound packets with internal source IP
addresses on the network border).
The first answer to this threat would be to disallow queries for the
root zone would for any client (the root zone is used only by the server
itself, right?).
* Do you think there is any reason NOT do do this?
* Do you know a simple way to do this?
the trivial solution of adding an allow-query clause to the root
zone definition is refused by the server, as hint type zones
cannot have an allow-query clause - see
https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
there is possibly a way to do this using views, but...
anything simpler?
options {
allow-query { recusrsive-clients; };
allow-recursion { recusrsive-clients; };
};
zone {
type (slave|master);
...
allow-query { any; };
};
Or upgrade to BIND 9.4 or later and use allow-query-cache,
BIND 9.3 is past end-of-life.
Mark
best regards and thanks for any answer
MAtteo Valsasna
Using allow-query to deny some queries still takes time and resources from
your server as it then sends a "denied" message back to the query source.
As the source is spoofed it then contributes in a small way to the DDoS
attack. I think it is better to just drop the queries on your firewall.
I found this entry for iptables on the list a while back and it works
well and drops around a thousand queries a day.
iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32
"0>>22&0...@12>>16=1&&0>>22&0...@20>>24=0&&0>>22&0...@21=0x00020001"
--
David Forrest
St. Louis, Missouri
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
