* Steven Chamberlain <[email protected]> [2011-12-08 16:31]: > On 08/12/11 12:01, Sebastien Maerker, Continum wrote: > > Another idea from us is: > > Is it possible running a ruleset for port 53 udp/tcp and in/out completely > > stateless? > I agree it seems strange to keep state for the 'stateless' DNS UDP > protocol. I would be concerned at how easily an attacker could exhaust > the state table by making many queries from randomised source ports and > potentially many IPs (a large botnet, or spoofed).
pf has all the bells and whistles to prevent state table exhaustion attacks. use them. > If -- worst case -- someone were able to saturate a 1Gbps link with > small DNS queries, say 96 bytes each with the Ethernet overheads > included, that's about 1.3m pps. With a 10 second expiry, a state table > of 2^24 = 16777216 entries would still cover it. It should still be > very fast, needing at most 24 matches to locate an entry, but I guess it > would require a lot of memory. (I also wonder if keeping state for IPv6 > requires more memory still -- and limiting the max. number of states per > address would be impractical for IPv6). the state is always teh same size, regardless of the protocol (at least now). stateless matching is WAYS slower than stateful. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
