Gentoo Archives: gentoo-user

From: Michael Mol <mikemol@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] How to prevent a dns amplification attack
Date: Thu, 28 Mar 2013 15:38:33
Message-Id: 515463E0.60607@gmail.com
In Reply to: [gentoo-user] How to prevent a dns amplification attack by "Norman Rieß"
1 On 03/28/2013 04:51 AM, Norman Rieß wrote:
2 > Hello,
3 >
4 > i am using pdns recursor to provide a dns server which should be usable
5 > for everybody.The problem is, that the server seems to be used in dns
6 > amplification attacks.
7 > I googled around on how to prevent this but did not really find
8 > something usefull.
9 >
10 > Does anyone got an idea about this?
11
12 I'm not sure it can be done. You can't make a resolver available to
13 "everybody" without somebody in that "everybody" group abusing it, and
14 that's exacly what happens in a DNS amplification attack.
15
16 Restrict your resolver to be accessible only to your network or, at
17 most, those of the specific group of people you're seeking to help.
18
19 You *might* try restricting the resolver to only respond to TCP requests
20 rather than UDP requests, but if the resolver sends response data along
21 with that first SYN+ACK, then nothing is solved, and you've opened
22 yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
23 went offline as a result of a SYN flood, at least it wouldn't be part of
24 an amplification attack any longer...)

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] How to prevent a dns amplification attack Pandu Poluan <pandu@××××××.info>
Re: [gentoo-user] How to prevent a dns amplification attack "Norman Rieß" <norman@×××××××××.org>
Re: [gentoo-user] How to prevent a dns amplification attack Alan McKinnon <alan.mckinnon@×××××.com>