[153566] in North American Network Operators' Group
Re: Open DNS Resolver reflection attack Mitigation
daemon@ATHENA.MIT.EDU (Joe Maimon)
Fri Jun 8 15:49:29 2012
Date: Fri, 08 Jun 2012 15:48:48 -0400
From: Joe Maimon <jmaimon@ttec.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20120608192605.GA19427@sources.org>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Stephane Bortzmeyer wrote:
> On Fri, Jun 08, 2012 at 03:09:04PM -0400,
> Joe Maimon<jmaimon@ttec.com> wrote
> a message of 7 lines which said:
>
>> Is there any publicly available rate limiting for BIND?
>
> Not as far as I know. I'm not sure it would be a good idea. BIND is
> feature-rich enough.
I really hope you have a minority viewpoint on this one. I would really
like to see it.
>
>> How about host-based IDS that can be used to trigger rtbh or iptables?
>
> What I do (I manage a small and experimental open resolver) is to use
> iptables this way (porting it to IPv6 is left as an exercice):
>
> iptables -A INPUT -p udp --dport 53 -m hashlimit \
> --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
> --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
>
> So, every prefix (length 28) can send 20 r/s with allowed bursts of
> 100. This requires a Netfilter>= 1.4 (recent options of module
> hashlimit).
Missing the amplification factor goodness google says they have, but
I'll take it.
https://developers.google.com/speed/public-dns/docs/security
>
> Most iptables recipes that you find on the Web are not well suited to
> DNS. They use connection tracking, for instance, while, with the DNS,
> every request/response is a "connection".
>
> I have a more complete article on this setup but in french only
> <http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
This sounds promising. I will give it a spin. Thank you!
>
>> Google and Level3 manage to run open resolvers, why cant I?
>
> You have less money :-)
>
>
With help like yours, I hope to compensate for that.
Joe
