On 03/28/2013 12:06 PM, Pandu Poluan wrote: > > On Mar 28, 2013 10:38 PM, "Michael Mol" <mike...@gmail.com > <mailto:mike...@gmail.com>> wrote: >> >> On 03/28/2013 04:51 AM, Norman Rieß wrote: >> > Hello, >> > >> > i am using pdns recursor to provide a dns server which should be usable >> > for everybody.The problem is, that the server seems to be used in dns >> > amplification attacks. >> > I googled around on how to prevent this but did not really find >> > something usefull. >> > >> > Does anyone got an idea about this? >> >> I'm not sure it can be done. You can't make a resolver available to >> "everybody" without somebody in that "everybody" group abusing it, and >> that's exacly what happens in a DNS amplification attack. >> >> Restrict your resolver to be accessible only to your network or, at >> most, those of the specific group of people you're seeking to help. >> >> You *might* try restricting the resolver to only respond to TCP requests >> rather than UDP requests, but if the resolver sends response data along >> with that first SYN+ACK, then nothing is solved, and you've opened >> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver >> went offline as a result of a SYN flood, at least it wouldn't be part of >> an amplification attack any longer...) >> > > Can't we rate limit UDP DNS request? > > E.g., limit each source IP to, let's say, 1 UDP per second? > > That should be doable easily using iptables.
That makes the resolver highly unreliable for normal use. Many sites trigger resource grabs from 10-15 different domains. If all but the first request is dropped due to rate limiting, you're going to have a very, very broken experience.
signature.asc
Description: OpenPGP digital signature
