| 1 |
On Thu, 28 Mar 2013 16:12:04 +0100 |
| 2 |
Volker Armin Hemmann <volkerarmin@××××××××××.com> wrote: |
| 3 |
|
| 4 |
> > Hello, |
| 5 |
> > |
| 6 |
> > i am using pdns recursor to provide a dns server which should be |
| 7 |
> > usable for everybody.The problem is, that the server seems to be |
| 8 |
> > used in dns amplification attacks. |
| 9 |
> > I googled around on how to prevent this but did not really find |
| 10 |
> > something usefull. |
| 11 |
> > |
| 12 |
> > Does anyone got an idea about this? |
| 13 |
|
| 14 |
I haven't looked into it but. |
| 15 |
|
| 16 |
You could perhaps reduce the amplification by looking for trends that |
| 17 |
maximise response sizes such as the 100x amp against spamhaus of late, |
| 18 |
but you would be fighting against the wind and only buying time. |
| 19 |
|
| 20 |
Rate limiting may work but bear in mind that so many servers could be |
| 21 |
used that attacks maybe ongoing and you wouldn't notice, again you may |
| 22 |
be able to make attackers need to be subtler or go to more effort like |
| 23 |
for spam but you are not going to eradicate it. |
| 24 |
|
| 25 |
Really you would need some sort of network of dns servers communicating |
| 26 |
about who they are hurting as thankfully there is often a single |
| 27 |
victim, but really it would be better if the IETF had listened to the |
| 28 |
dangers and even now simply redesigned DNSSEC. |
| 29 |
|
| 30 |
As for tcp I used to have all my OpenBSD clients resolvers using the tcp |
| 31 |
option in resolv.conf but I haven't noticed another OS's resolver with |
| 32 |
that option. There are decent protections against syn floods but I |
| 33 |
assume you are wanting random clients to connect. |
Archives