Re: [gentoo-user] How to prevent a dns amplification attack
On 31-Mar-13 4:08, Paul Hartman wrote: Coincidentally, yesterday US-CERT published a small article about DNS amplification attacks and mitigation strategies: http://www.us-cert.gov/ncas/alerts/TA13-088A Thanks for interesting link. I did not know bind has support for response rate-limiting... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] How to prevent a dns amplification attack
Am 31.03.2013 04:08, schrieb Paul Hartman: On Thu, Mar 28, 2013 at 3:51 AM, Norman Rieß nor...@smash-net.org wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? Coincidentally, yesterday US-CERT published a small article about DNS amplification attacks and mitigation strategies: http://www.us-cert.gov/ncas/alerts/TA13-088A Thanks a lot!
Re: [gentoo-user] How to prevent a dns amplification attack
Am 29.03.2013 um 23:34 schrieb Paul Hartman paul.hartman+gen...@gmail.com: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. […] It is no longer legal for local governments to award monopolies, but the damage has been done. What we have is essentially the cable TV infrastructure that was laid out during the decade when local cable monopolies were legal, and the cost of entry for a new player into the market now is so high that nobody ever bothers. End result for consumers is a lack of choice. There are some places where competition exists, but those places are pretty rare, in my experience. There are some other possible alternatives to cable internet and DSL, such as municipal wifi, mesh networks, powerline and FTTx, but none are available where I live. The service I receive from the cable company here is actually excellent, with the exception of the aforementioned DNS woes. Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. I believe the board members of major cable and telecom companies would sell their own mothers into slavery if it meant a rise in share prices or a larger bonus at the end of the year... That is pretty much the same as what happened in Germany. The telephone network was build by the german postal service in the past and was run by the government. As we all know everything works better and cheaper when things are privatized, so the Deutsche Telekom was created and with it a semi monopoly over night. Regions not dense enough are not part of the developing plans of any of the companies. So if you are lucky like me, you are stuck with 16mbit DSL provided by one company rented by an other company. If people start to build their own network or a competitor reaches for a specific underdeveloped region, this region gets an upgrade like to DSL 3 Mbit or something like that, so the competitors draw of. If you are really lucky you live in a region which is really dense or a cable company provides you with internet, so you get 100mbit. But this is only a fraction of all people. If the government is confronted with this they say, the market will regulate that, which it does not. And if voices get too loud, the tell the companies to develop the underdeveloped regions, they shake hands on TV and nothing happens. And as Paul said, most ISP do DNS-hijacking and the like, which breaks things in incredible unexpected ways. So when i wrote this post to the mailing list and got answers like unnecessary crap and why make it available for everyone i thougt, this to be answers of some weirdos which should be ignored. Here you do not trust your ISP… you use the ISP which sucks less or the only one that gives you any internet at all. If you reach a certain level of knowledge, you change your DNS settings to free DNS servers and if you run a resolver you do it for the other poor souls as well. There are lists of unfiltered DNS Servers (http://www.ungefiltert-surfen.de/nameserver/de.html), which are checked regularly if they provide unfiltered answers an the like. And there are howtos for the average user on how to change the dns settings and to avoid your isp´s dns servers. Regards Norman
Re: [gentoo-user] How to prevent a dns amplification attack
On Sat, 30 Mar 2013 13:06:16 +0100 Norman Rieß nor...@smash-net.org wrote: Am 29.03.2013 um 23:34 schrieb Paul Hartman paul.hartman+gen...@gmail.com: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. […] It is no longer legal for local governments to award monopolies, but the damage has been done. What we have is essentially the cable TV infrastructure that was laid out during the decade when local cable monopolies were legal, and the cost of entry for a new player into the market now is so high that nobody ever bothers. End result for consumers is a lack of choice. There are some places where competition exists, but those places are pretty rare, in my experience. There are some other possible alternatives to cable internet and DSL, such as municipal wifi, mesh networks, powerline and FTTx, but none are available where I live. The service I receive from the cable company here is actually excellent, with the exception of the aforementioned DNS woes. Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. I believe the board members of major cable and telecom companies would sell their own mothers into slavery if it meant a rise in share prices or a larger bonus at the end of the year... That is pretty much the same as what happened in Germany. The telephone network was build by the german postal service in the past and was run by the government. As we all know everything works better and cheaper when things are privatized, so the Deutsche Telekom was created and with it a semi monopoly over night. Regions not dense enough are not part of the developing plans of any of the companies. So if you are lucky like me, you are stuck with 16mbit DSL provided by one company rented by an other company. If people start to build their own network or a competitor reaches for a specific underdeveloped region, this region gets an upgrade like to DSL 3 Mbit or something like that, so the competitors draw of. If you are really lucky you live in a region which is really dense or a cable company provides you with internet, so you get 100mbit. But this is only a fraction of all people. If the government is confronted with this they say, the market will regulate that, which it does not. And if voices get too loud, the tell the companies to develop the underdeveloped regions, they shake hands on TV and nothing happens. And as Paul said, most ISP do DNS-hijacking and the like, which breaks things in incredible unexpected ways. So when i wrote this post to the mailing list and got answers like unnecessary crap and why make it available for everyone i thougt, this to be answers of some weirdos which should be ignored. Here you do not trust your ISP… you use the ISP which sucks less or the only one that gives you any internet at all. If you reach a certain level of knowledge, you change your DNS settings to free DNS servers and if you run a resolver you do it for the other poor souls as well. There are lists of unfiltered DNS Servers (http://www.ungefiltert-surfen.de/nameserver/de.html), which are checked regularly if they provide unfiltered answers an the like. And there are howtos for the average user on how to change the dns settings and to avoid your isp´s dns servers. Regards Norman There is also the possibility to use opendns.com I've been using them for years, and have not had any trouble. I started using them when my ISP decided to block some sites. And their standard service is free :) Best regards, Rene
Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack
On Sat, 30 Mar 2013 13:06:16 +0100 Norman Rieß nor...@smash-net.org wrote: As we all know everything works better and cheaper when things are privatized Actually No it's not so simple at all. You get incompetence in private and public and you may be more likely to get away with it for longer in a public service than in a market with competition but there are many examples where things simply get worse. In the UK, water companies were privatisied and fat cats made lots of money letting the pipes deteriorate for future generations. British Telecom, well that's a mixed bag but it is certainly a tiny shadow of it's original self. We know ideals and theory hardly ever work but theoretically public should be much better when well managed. I wonder if ISPS wouldn't be handling things like TalkTalks Homesafe in such a stupid manner (across the board is where it is stupid, even for non users of the service) where they redirect all the http traffic through an undoubtedly insecure layer 7 handling huawei device with less commercial pressures or analysing bandwidth at layer 7 when they should be doing so more safely and completely at layers 3 and 4 leading me to believe they are not just thinking about bandwidth usage. Why does it matter if you download 1000Gb via torrents or http. ACKs can be managed in any case. I'm glad open source is beginning to make strides into public services as it should help put an end to expensive interoperability issues (if we stay away from non posix things like systemd, though even then shouldn't be too bad ;-)).
Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack
On Sat, 30 Mar 2013 15:53:29 +0100 Rene Rasmussen gen...@paranoidix.dk wrote: There is also the possibility to use opendns.com I've been using them for years, and have not had any trouble. I started using them when my ISP decided to block some sites. And their standard service is free :) They also support dnscurve but I thought that in the case of non existing domain lookups they do show adverts? I don't see just that as a huge problem as long as they are not targetted though?
Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack
On 2013-03-30 11:15 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Sat, 30 Mar 2013 15:53:29 +0100 Rene Rasmussen gen...@paranoidix.dk wrote: There is also the possibility to use opendns.com I've been using them for years, and have not had any trouble. I started using them when my ISP decided to block some sites. And their standard service is free :) They also support dnscurve but I thought that in the case of non existing domain lookups they do show adverts? This can be disabled... The biggest problem with using them (or google dns) is if you are running a mail server, you cannot use spamhaus or many other DNSBLs, because they don't work with these free DNS services: http://www.spamhaus.org/faq/section/DNSBL%20Usage#261
Re: [Bulk] Re: [gentoo-user] How to prevent a dns amplification attack
Am 30.03.2013 16:11, schrieb Kevin Chadwick: On Sat, 30 Mar 2013 13:06:16 +0100 Norman Rieß nor...@smash-net.org wrote: As we all know everything works better and cheaper when things are privatized Actually No it's not so simple at all. You get incompetence in private and public and you may be more likely to get away with it for longer in a public service than in a market with competition but there are many examples where things simply get worse. In the UK, water companies were privatisied and fat cats made lots of money letting the pipes deteriorate for future generations. British Telecom, well that's a mixed bag but it is certainly a tiny shadow of it's original self. We know ideals and theory hardly ever work but theoretically public should be much better when well managed. I wonder if ISPS wouldn't be handling things like TalkTalks Homesafe in such a stupid manner (across the board is where it is stupid, even for non users of the service) where they redirect all the http traffic through an undoubtedly insecure layer 7 handling huawei device with less commercial pressures or analysing bandwidth at layer 7 when they should be doing so more safely and completely at layers 3 and 4 leading me to believe they are not just thinking about bandwidth usage. Why does it matter if you download 1000Gb via torrents or http. ACKs can be managed in any case. I'm glad open source is beginning to make strides into public services as it should help put an end to expensive interoperability issues (if we stay away from non posix things like systemd, though even then shouldn't be too bad ;-)). I think, you did not spot the sarcasm in what i said :-).
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, Mar 28, 2013 at 3:51 AM, Norman Rieß nor...@smash-net.org wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? Coincidentally, yesterday US-CERT published a small article about DNS amplification attacks and mitigation strategies: http://www.us-cert.gov/ncas/alerts/TA13-088A
Re: [gentoo-user] How to prevent a dns amplification attack
Am 29.03.2013 01:49, schrieb Peter Humphrey: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? Norman
Re: [gentoo-user] How to prevent a dns amplification attack
On 28/03/2013 22:53, Paul Hartman wrote: On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. I'm part of Infra. If we sold you service like that, you wouldn't have to complain, the CTO would be round at my desk in a flash with his new career path plan for me. You know the plan, it's the cookie-cutter one that mentions burgers and flipping many times :-) Thanks for being one of the good guys. :) -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On 29/03/2013 10:53, Norman Rieß wrote: That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? When you describe the service you DO get from your ISP, then we can see that rolling your own is the proper alternative for you. Unless your ISP block outbound port 53... If you were in Africa, I could give you an alternative but sadly I don't think you are in Africa -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/29/2013 09:27 AM, Alan McKinnon wrote: On 29/03/2013 10:53, Norman Rieß wrote: That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? When you describe the service you DO get from your ISP, then we can see that rolling your own is the proper alternative for you. Unless your ISP block outbound port 53... It'd be trivial enough for someone in a saner spot to privately offer him an allowed-clients entry in a DNS server listening on a non-standard port. Either way, it's still important he not allow just anybody to connect to his resolver. If you were in Africa, I could give you an alternative but sadly I don't think you are in Africa signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. In the USA, the local governments (cities and towns, etc.) are in control of regulating which utilities can use public land, and are entitled to compensation from those who use it. Cable companies negotiate rental of that space called a franchise fee so they can bury cables, etc. The franchise fee used to be a government-protected monopoly. In the 1980's, when cable television started booming, regional pockets of cable providers were built up thanks to these local monopolies allowing them to move into towns with no competition. For the sake of efficiency, cable companies would build out in adjacent towns and kept spreading and growing outward until at some point nearly everyone in the country had cable TV services available to them, with the exception of those living in rural areas which were not dense enough to justify the cost of laying cables, even when presented with a monopoly. It is no longer legal for local governments to award monopolies, but the damage has been done. What we have is essentially the cable TV infrastructure that was laid out during the decade when local cable monopolies were legal, and the cost of entry for a new player into the market now is so high that nobody ever bothers. End result for consumers is a lack of choice. There are some places where competition exists, but those places are pretty rare, in my experience. There are some other possible alternatives to cable internet and DSL, such as municipal wifi, mesh networks, powerline and FTTx, but none are available where I live. The service I receive from the cable company here is actually excellent, with the exception of the aforementioned DNS woes. Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. I believe the board members of major cable and telecom companies would sell their own mothers into slavery if it meant a rise in share prices or a larger bonus at the end of the year...
Re: [gentoo-user] How to prevent a dns amplification attack
On 30/03/13 06:34, Paul Hartman wrote: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. Can you do a tunnel to a cheap vsp instance that can access an external dns, and feed all your dns queries through it? Considering the problems with your existing setup, that looks attractive and you can have sane fallbacks if neccessary. I tried this to avoid the Australia Tax when online shopping overseas and the small additional latency didnt seem to be a problem. BillK
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/29/2013 07:01 PM, William Kenworthy wrote: On 30/03/13 06:34, Paul Hartman wrote: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. Can you do a tunnel to a cheap vsp instance that can access an external dns, and feed all your dns queries through it? Considering the problems with your existing setup, that looks attractive and you can have sane fallbacks if neccessary. I tried this to avoid the Australia Tax when online shopping overseas and the small additional latency didnt seem to be a problem. Doesn't even need to be that complicated. Set up a free tunnel with tunnelbroker.net, and use Hurricane Electric's provided IPv6 DNS servers. They run the tunnel service as a loss-leader, and if they're doing anything funky with their DNS data, I haven't heard about it. Chances are, the local ISP won't be filtering traffic flowing across a proto41 tunnel. (IPv6 packet as an IPv4 packet payload. It's called a proto41 tunnel because 41 is placed in the next protocol field in the IPv4 packet.) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
On Fri, Mar 29, 2013 at 05:34:41PM -0500, Paul Hartman wrote Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. The obvious questions is... do they hijack all port-53 queries? Depending on the answer, there are 2 different strategies to follow. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] How to prevent a dns amplification attack
Typically you would just allow recursion from networks you trust. Why are you making your server available to everyone? Read this one? https://developers.google.com/speed/public-dns/docs/security
Re: [gentoo-user] How to prevent a dns amplification attack
Turn off this unnecessary crap? Am 28.03.2013 09:52 schrieb Norman Rieß nor...@smash-net.org: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? Regards, Norman
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
On Mar 28, 2013 10:38 PM, Michael Mol mike...@gmail.com wrote: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Can't we rate limit UDP DNS request? E.g., limit each source IP to, let's say, 1 UDP per second? That should be doable easily using iptables. Rgds, --
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/28/2013 12:06 PM, Pandu Poluan wrote: On Mar 28, 2013 10:38 PM, Michael Mol mike...@gmail.com mailto:mike...@gmail.com wrote: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Can't we rate limit UDP DNS request? E.g., limit each source IP to, let's say, 1 UDP per second? That should be doable easily using iptables. That makes the resolver highly unreliable for normal use. Many sites trigger resource grabs from 10-15 different domains. If all but the first request is dropped due to rate limiting, you're going to have a very, very broken experience. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
On 28-Mar-13 9:51, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? Try to set-up connection rate limiting using iptables... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] How to prevent a dns amplification attack
Am 28.03.2013 16:38, schrieb Michael Mol: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Thank you Michael!
Re: [gentoo-user] How to prevent a dns amplification attack
On 28/03/2013 17:38, Michael Mol wrote: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, NO NO NO NO NO Under no circumstances ever do this. The service breaks horribly when you do this and it has to work even remotely hard. Most likely your ISP will outright ban you for that if you use the ISP's caches. I knwo I do, and so does every other major ISP in this country. but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/28/2013 03:16 PM, Alan McKinnon wrote: On 28/03/2013 17:38, Michael Mol wrote: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, NO NO NO NO NO Under no circumstances ever do this. The service breaks horribly when you do this and it has to work even remotely hard. Most likely your ISP will outright ban you for that if you use the ISP's caches. I knwo I do, and so does every other major ISP in this country. Er, what? When we're talking about a recursive resolver requiring clients connecting to it to use TCP, what does upstream care? He's talking about running his own open DNS server. but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
Le 28/03/2013 17:53, Jarry a écrit : On 28-Mar-13 9:51, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? Try to set-up connection rate limiting using iptables... Jarry Hi, a good example, in French but the commands will be sufficient : http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html Paul
Re: [gentoo-user] How to prevent a dns amplification attack
On 28/03/2013 21:38, Michael Mol wrote: On 03/28/2013 03:16 PM, Alan McKinnon wrote: On 28/03/2013 17:38, Michael Mol wrote: On 03/28/2013 04:51 AM, Norman Rieß wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I'm not sure it can be done. You can't make a resolver available to everybody without somebody in that everybody group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, NO NO NO NO NO Under no circumstances ever do this. The service breaks horribly when you do this and it has to work even remotely hard. Most likely your ISP will outright ban you for that if you use the ISP's caches. I knwo I do, and so does every other major ISP in this country. Er, what? When we're talking about a recursive resolver requiring clients connecting to it to use TCP, what does upstream care? He's talking about running his own open DNS server. Because the list is indexed and archived and Googled forever. Others may get the idea that TCP-only DNS caches are a good idea in general. Have you ever had to deal with the insanity caused when Windows Servers insist on using TCP only, and YOU are the upstream? I understand what the OP was suggesting, but he did not limit the usefulness and scope of the suggestion, so I did. but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...) Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, 28 Mar 2013 16:12:04 +0100 Volker Armin Hemmann volkerar...@googlemail.com wrote: Hello, i am using pdns recursor to provide a dns server which should be usable for everybody.The problem is, that the server seems to be used in dns amplification attacks. I googled around on how to prevent this but did not really find something usefull. Does anyone got an idea about this? I haven't looked into it but. You could perhaps reduce the amplification by looking for trends that maximise response sizes such as the 100x amp against spamhaus of late, but you would be fighting against the wind and only buying time. Rate limiting may work but bear in mind that so many servers could be used that attacks maybe ongoing and you wouldn't notice, again you may be able to make attackers need to be subtler or go to more effort like for spam but you are not going to eradicate it. Really you would need some sort of network of dns servers communicating about who they are hurting as thankfully there is often a single victim, but really it would be better if the IETF had listened to the dangers and even now simply redesigned DNSSEC. As for tcp I used to have all my OpenBSD clients resolvers using the tcp option in resolv.conf but I haven't noticed another OS's resolver with that option. There are decent protections against syn floods but I assume you are wanting random clients to connect.
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. Thanks for being one of the good guys. :)
Re: [gentoo-user] How to prevent a dns amplification attack
listened to the dangers and even now simply redesigned DNSSEC. Or they could fudge it by making every request requiring padding larger than the response. Bandwidth would increase astronomically but amp attacks would have to find other avenues.
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/28/2013 04:53 PM, Paul Hartman wrote: On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. Wow. That's...all the fail. Thanks for being one of the good guys. :) Indeed. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/28/2013 04:57 PM, Kevin Chadwick wrote: listened to the dangers and even now simply redesigned DNSSEC. Or they could fudge it by making every request requiring padding larger than the response. Bandwidth would increase astronomically but amp attacks would have to find other avenues. Infeasible; the requester cannot know the size of the response in advance. If a packet comes in, and the response is larger than the request, is it really an amp packet, did the client not know, or is the server misconfigured and not limiting the response data as much as it could? signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] How to prevent a dns amplification attack
Am 28.03.2013 10:07, schrieb Adam Carter: Why are you making your server available to everyone? For the lulz mostly.
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, 28 Mar 2013 17:04:25 -0400 Michael Mol mike...@gmail.com wrote: listened to the dangers and even now simply redesigned DNSSEC. Or they could fudge it by making every request requiring padding larger than the response. Bandwidth would increase astronomically but amp attacks would have to find other avenues. Infeasible; the requester cannot know the size of the response in advance. If a packet comes in, and the response is larger than the request, is it really an amp packet, did the client not know, or is the server misconfigured and not limiting the response data as much as it could? I'm certainly not saying it's a good idea, hence the 'fudge' and 'making every request' which would mean non updateable clients or non updated routers (90%) needing special treatment. I'm sure there are probably other hurdles to it but it is certainly possible to make a request much larger than any potential response similar to the anti-spam system that makes creating a message take a lot of cpu and then only accepting messages from those that do (hsomething I think, only works too if all take part but would eliminate spam almost completely). However thinking about it, considering the want for dns to provide larger things like encryption keys, huge requests may be the best long term solution for a DNSSEC which seemingly refuses out of pride to add something like DNSCURVE to prevent spoofing. Similar to firewalls only sending a single syn ack (less than or equalise)
Re: [gentoo-user] How to prevent a dns amplification attack
On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? -- Peter
