At Mon, 19 Jan 2009 16:40:28 +1100, Nathan Ollerenshaw <chr...@stupendous.net> wrote:
> I have an Authoritative BIND server. It is configured to only allow > recursive queries from localhost, with recursion disabled for any > remote clients. [snip] > The ideal solution for me, would be a bind configuration option that > could rate limit responses based on type; so you could specify that a > "REFUSED" reply will only be sent to a given host once per hour, or > something like that. Rate-limiting REFUSED responses doesn't make much sense in this context, because the response messages are not (that) amplified in packet size. Even if you rate-limited REFUSED responses, the attacker could exploit other attack vectors. Especially in your case where the server also acts as an authoritative server, the attacker would just send a valid non-recursive query for a name in the authoritative zone with a forged address. IMO, it's not worth considering a counter measure for a non-amplifying DoS attacks, especially if it can make the implementation complicated. --- JINMEI, Tatuya Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
