Re: Avoiding being used as DDoS reflector.

Mon, 19 Jan 2009 09:58:45 -0800 

On Jan 19, 2009, at 7:48 AM, John Wobus wrote:

Nathan Ollerenshaw escreveu:



I have an Authoritative BIND server. It is configured to only allow  
recursive queries from localhost, with recursion disabled for any  
remote clients.



If you attempt to perform a recursive query against this server, it  
will respond with a "query refused" packet, as this is what BIND  
does if you try to recursively query a server configured to  
disallow recursive queries.

[ ........ ]

Any ideas? Anyone facing this same problem found a solution? I'd be  
glad to hear it :)







If you need 53 to answer for authoritative zones, you could run two  
bind instances, one for your caching server,
the other for the authoritative data.  Then a firewall or instance- 
wide black-hole config would take care of it.

Not too inspired a solution, but it's all I can think of.


I fear that what you are seeing is difficult to handle, thus may  
well become only more popular as time passes,
especially if it really does cause trouble for the victim. If the  
traffic is negligible for you, then does it really
hurt the victim?  How would they be harmed?  Is the victim someone  
who queries your authoritative
server enough to get some confusing "hits" of matching port, ID, and  
server of outstanding queries?  Even if you
block recursive error returns, would an attack using valid  
authoritative answers be equally harmful to the victim?



What's happening is, the attacker uses a botnet to send recursive  
packets for ./IN/NS (or any other query likely to get a large  
response) to a large number "reflectors", using a spoofed source  
address (the address of the target).


one controller
100000 bots

1000000 reflectors (per second - they can change from one second to  
another)

one target


The controller (the bot herder) already has an efficient way to  
control his botnet. Each bot (a compromised machine, usually running  
Windows, that's owned by an unsuspecting normal person) sends 10 DNS  
packets per second to 10 different servers - not very much traffic.  
Each reflector, a DNS server that accepts any kind of query from the  
Internet, sees 1 query per second (or less) - a very small amount of  
traffic. So none of these machines are seeing much load.


The target gets one million bogus responses per second.

Chris Buxton
Professional Services
Men & Mice

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to