1 |
On Thu, 28 Mar 2013 16:12:04 +0100 |
2 |
Volker Armin Hemmann <volkerarmin@××××××××××.com> wrote: |
3 |
|
4 |
> > Hello, |
5 |
> > |
6 |
> > i am using pdns recursor to provide a dns server which should be |
7 |
> > usable for everybody.The problem is, that the server seems to be |
8 |
> > used in dns amplification attacks. |
9 |
> > I googled around on how to prevent this but did not really find |
10 |
> > something usefull. |
11 |
> > |
12 |
> > Does anyone got an idea about this? |
13 |
|
14 |
I haven't looked into it but. |
15 |
|
16 |
You could perhaps reduce the amplification by looking for trends that |
17 |
maximise response sizes such as the 100x amp against spamhaus of late, |
18 |
but you would be fighting against the wind and only buying time. |
19 |
|
20 |
Rate limiting may work but bear in mind that so many servers could be |
21 |
used that attacks maybe ongoing and you wouldn't notice, again you may |
22 |
be able to make attackers need to be subtler or go to more effort like |
23 |
for spam but you are not going to eradicate it. |
24 |
|
25 |
Really you would need some sort of network of dns servers communicating |
26 |
about who they are hurting as thankfully there is often a single |
27 |
victim, but really it would be better if the IETF had listened to the |
28 |
dangers and even now simply redesigned DNSSEC. |
29 |
|
30 |
As for tcp I used to have all my OpenBSD clients resolvers using the tcp |
31 |
option in resolv.conf but I haven't noticed another OS's resolver with |
32 |
that option. There are decent protections against syn floods but I |
33 |
assume you are wanting random clients to connect. |