Re: about DNS RRL
On 10/17/2012 09:17 AM, pangj wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? It doesn't stop it (indeed, can't). It mitigates the impact. The DDoS tend to come from a fixed set of spoofed source at any one time. RRL helps, in that it: 1. punts early in the path, lowering resolver CPU use, and 2. returns a minimal response, which prevents amplification. Remember the DDoS is actually directed at the spoofed source, not the DNS server. The DNS server is merely an unwilling participant. RRL helps prevent that participation. There is, as I understand it, some spotty evidence that the attackers will move to a different server if RRL seems to be in use. How this happens I don't know - maybe they probe with real IPs? - but I've heard others emphatically claim this is not the case, and attackers will continue to blindly flail at you until the attacking node goes down. The only solution to these kinds of attacks is for providers to implement BCP 38, and for upstream providers to start de-peering providers who don't. I rate this about as likely as... a very unlikely thing. S/RTBH can help the DNS provider, if they're being overwhelmed and their upstream supports it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
In article mailman.424.1350461867.11945.bind-us...@lists.isc.org, pangj pa...@riseup.net wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
In article mailman.424.1350461867.11945.bind-us...@lists.isc.org, pangj pa...@riseup.net wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. Sorry I just can't understand that why my server is being used to attack other's servers? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: about DNS RRL
You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. Sorry I just can't understand that why my server is being used to attack other's servers? People (bad people) spoof a query source (the victims address) and fire a query at your server. If your server allows queries from the Internet (etc), then it will reply to the victim. Generally speaking, the query is smaller than the reply, so the attacker uses your server to amplify the attack, which is why this is a DNS amplification attack. If you do this at 50qps from 10,000 botnet servers, you can generate a lot of traffic very easily, for a very small investment. This attack relies on open resolvers on the internet, so if you don't need your DNS server to be queried by the entire internet, throw an ACL in front of it/on it and limit who can talk to you. Because I like pictures, here's a simple one to show what I'm getting at: http://infosecurity.jp/wp-content/uploads/2011/02/113.jpg Hope that helps. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
