On 29.10.2012 11:13, Dobbins, Roland wrote:
On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:
We apply iptables based rate-limiting on ANY queries with RD bit set.
The problem with fronting your DNS servers with a stateful firewall is that it
makes it susceptible to trivial state-exhaustion attacks. This is not a good
idea.
It depends on the implementation of the firewall. For example most
iptables modules which saves states have a limited number of resources
to keep state. If the max. number of entries is reached, it usually
deletes an old one. So, the result may not be perfect, but it is better
then no rules at all.
And as I said, it is not a general solution but works fine for us.
Sometimes it is simpler to wait and watch what the attackers do, and if
the attacks are getting to noisy, do something effective against it.
Thinking of all possible scenarios that an attacker could do and then
finding an solution which handles all of these scenarios is sometimes
not worth the effort, especially as we see amplification attacks not as
a real serious problem for our name servers, but just annoying.
regards
Klaus
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
