On May 15, 2013, at 5:09 PM, Matthäus Wander <[email protected]> wrote:
> * Vernon Schryver [2013-05-15 21:40]: >>> From: Jared Mauch <[email protected]> >>> This is a crude but effective hack. It doesn't stop the system from >>> recursing to find the response. >> >> >> I can understand simplistic DNS reflection mitigation in firewalls, >> especially when response rate limiting is not available in the DNS >> server implementation or when local policies forbid the use of patches. >> I don't understand why would one use a patch like that with its >> limitations and drawbacks (e.g. usable only on recent versions of >> BIND9, affects only ANY, affects all ANY, doesn't limit the flood of >> reflected truncated responses during attacks, no whitelisting for local >> clients, not view-specific) instead of the full blown RRL patch for >> 9.9.3rc2, 9.9.2, 9.9.2-P1, 9.9.2-P2, 9.8.4-P2, 9.8.4-P1, or 9.8.5rc2. >> >> >> By the way, why use "qtype == 255" instead of "qtype == dns_rdatatype_any" ? >> >> Why #define TCP_CLIENT() and use the macro exactly once instead >> something like >> if (qtype == dns_rdatatype_any && >> (client->attributes & NS_CLIENTATTR_TCP) != 0) { >> If TCP_CLIENT() is used in query.c, then its definition should be moved >> from client.c to bin/named/include/named/client.h and the several uses >> of "client->attributes & NS_CLIENTATTR_TCP" in query.c replaced with >> TCP_CLIENT(). It's bad form to define macros (or much of anything) >> more than once, because you can be sure that eventually the definitions >> will differ. > > I think the keyword here is "hack". I wouldn't invest too much time in > an analysis. Thanks :) Yes, the idea here is that most of this attack traffic is of type=ANY. If I invested more than 30 minutes, I could put in configuration directives around this as well making it an option to set. What I have noticed in the past is someone better than myself has usually reimplemented these patches to make things better. (e.g.: FreeBSD raw socket in jail patch) (for Vernons knowledge, I thought TCP_CLIENT wasn't limited to just that one .c file, so when it failed to compile I lazily stole that line of code and put it immediately before it, hence it's poor location as well). I've cleaned up the patch (it should be == 0 now btw, the above code correction is wrong). If others want, I can look at putting in a config directive. It would be possible to add other RRtypes easily enough that should get TCP only that are not commonly used. - Jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
