Hi! On 08/01/2024 23:08, Klaus Darilion wrote:
This is unfortunately a common issue indeed these days. It is possible to use dnsdist to detect and mitigate these attacks to a certain extent, using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule [1] or the FFI equivalent for better performance. It requires writing a bit of Lua code and some tuning on top of dnsdist, but all the building blocks are there already. We have implemented this for several customers and they are happy with the results.How does this work in detail? Does your implementation block only the queries for <random>.example.com or also "normal" queries like www.example.com or example.com MX? Or do you explicitly allow common subdomains before blocking everything else?
It really depends on the actual implementation in Lua. Currently when DynBlockRulesGroup:setSuffixMatchRule() is used it will insert a dynamic block for the suffix that is detected as being attacked, which will indeed apply to "normal" queries like www.example.com or example.com MX as well, although it's possible to allow-list specific suffixes, or to prevent blocking suffixes with not enough labels, for example. We will be implementing the ability to instead route the detected suffix to a different pool soon, as suggested by Jacob in [1].
Blocking all queries to the attacked domain prevents collateral damage, but causes a DoS to the attacked domain and makes the customer of the attacked domain unhappy.
I fully agree, and we are working on having smarter mitigations in dnsdist to only drops/truncate/route to a different pool queries that are very likely to be part of a PRSD/enumeration attack. Of course it's easier when the backend can handle the load, which is one of the reasons why the LMDB backend has been implemented, along with lightningstream :)
[1]: https://github.com/PowerDNS/pdns/issues/13374 Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
