Bug#741674: Include DNS Dampening to mitigate effects of DDoS using DNS Amplification

[Florian Weimer]

* Benny Baumann:

 The attached patch ports the original patch by Lutz Donnerhacke to
 apply on the latest package version from Git.

 Please include in Debian and convince upstream to follow if
 possible. TIA.

I don't think it's a good idea to have this as a local patch.

In any case, isn't the real problem that packets with a spoofed source
address can reach your name server?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741674: Include DNS Dampening to mitigate effects of DDoS using DNS Amplification

[Benny Baumann]

Hi,

Am 19.03.2014 20:43, schrieb Florian Weimer:
 * Benny Baumann:

 The attached patch ports the original patch by Lutz Donnerhacke to
 apply on the latest package version from Git.

 Please include in Debian and convince upstream to follow if
 possible. TIA.
 I don't think it's a good idea to have this as a local patch.
Having this patch locally in Debian is still better than not having it
at all. That's why I in particular also asked to convince upstream to
include this patch. Thus if you could do me this favour. ;-)
 In any case, isn't the real problem that packets with a spoofed source
 address can reach your name server?
Nope. Not any less with any other UDP-based protocol. The problem with
DNS amplification is that there are enough situations where you simply
can't guarantee that the origin address of a packet is legit. Even on a
local LAN I could easily abuse the features of DNS to DoS any host.

So the actual problem is that the server keeps responding even if it can
be easily detected that - given common sense in reasoning - a legit
client would never ask 10k times for the same domain within one second.
And that's exactly what this patch mitigates: By keeping track of a
kudos counter per client/subnet (depending on configuration) the server
can detect mal-performing clients and stop responding until the ill
behaviour has stopped.

More details (in German, but Google is your friend) can be found at
- https://lutz.donnerhacke.de/Blog/DNS-Dampening
- https://lutz.donnerhacke.de/Blog/DNS-Dampening-unter-der-Lupe
- https://lutz.donnerhacke.de/Blog/Dampening-oder-RRL-Was-hilft
- https://lutz.donnerhacke.de/Blog/DNS-Dampening-in-aktuellen-BINDs

And before complaining about German-only links - here's some English
papers telling the exact same story:
-
http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf

The patch is maintained by Wilfried Klaebe and me at
- https://github.com/wklaebe/bind9

And before you ask: Given the comparison of RRL (which upstream Bind
has) and DNS Dampening (which is added by this patch) I see nearly NO
effect using RRL on various typical attacks while DNS Dampening kills
most attacks within the first few packets. The Internet is inherently
untrustworthy in regards to who is sending you packets.

Thus securing the internet is not only about keeping your box safe, but
also about protecting the boxes of others from the behaviour of your
box. And THIS patch is doing exactly this.

Kind regards,
Benny Baumann




signature.asc
Description: OpenPGP digital signature