Re: DDOS attack Bind 9.9 - P2
So based on the response below how critical is it to implement RRL via Bind RRL patch provided the servers resources are available? And where do I download this patch? Rohan On Thu, 2 May 2013 22:16:51 GMT Vernon Schryver wrote: >> From: "Lawrence K. Chen, P.Eng." > >> So does rate limiting cover when the attacker walks my DNS zone to >> attack an IP? > >that depends on what is meant by "rate limiting" and "walking a DNS zone". > >Simple rate limiting that counts all requests ostensibly from a >single IP address regardless of (qname,qtype) differs from response >rate limiting (RRL) which counts distinct responses. > >"Walking a zone" can differ from walking a zone's valid names (perhaps >based on NSEC RRs or arithmetic as in a reverse zone). > >Simple rate limit is required to mitigate zone walking for valid names >not based on a wildcard, because the valid responses differ for RRL. >If you read the BIND9 RRL documentation, then you will find that simple >rate limiting is supported by the BIND9 RRL patch. However, simple >rate limiting is best done in a separate firewall to avoid spending >CPU cycles, memory bandwidth, and other resources of the DNS server. > >Responses based on a wildcard or error responses such NXDOMAIN or >REFUSED responses are considered identical by RRL and so are limited >by the BIND RRL patch. > >On the other hand, an attack from ambitious bad guy who has built a >list of 1,000,000 triples of (qname,qtype,DNS server IP) and does not >hit any single DNS server more often than 5 requests/second will not >be detected by any of the servers and so cannot be mitigated at the >servers even with simple rate limiting. It is in a sense fortunate >that DNSSEC is still so rare that finding 1,000,000 DNS server IP >addresses with large amplification requires more effort than other >reflection mechanisms. > > >Vernon Schryverv...@rhyolite.com > >P.S. Maybe there should be an FAQ somewhere, because it seems as if > I've written something similar often enough to irritate others. >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
- Original Message - > > From: "Lawrence K. Chen, P.Eng." > > > So does rate limiting cover when the attacker walks my DNS zone to > > attack an IP? > > that depends on what is meant by "rate limiting" and "walking a DNS > zone". > > Simple rate limiting that counts all requests ostensibly from a > single IP address regardless of (qname,qtype) differs from response > rate limiting (RRL) which counts distinct responses. > > "Walking a zone" can differ from walking a zone's valid names > (perhaps > based on NSEC RRs or arithmetic as in a reverse zone). > Well, if you had left the context of my reply in, it would be clear that I was referring to the RRL patch. And, I said in my message that I don't know the details of the walkingthe person relaying the incident to me didn't specify the kind of walking, which is why I said, "I'm curious what kind of walking it was doing". Because I wondered whether all/mostly NXDOMAIN/NSEC3 responses would get limited. I've played around with simple rate limiting before...on some caching servers...what a mess that turned out. Since it was one host that was mainly being bad, it was easier to just block it >From what I was told of the incident...queries coming were from all over (from >valid ranges), but the responses were all going to one IP. So, IT Security >didn't think they could do anything about it...except to ask why do we have >DNS servers that are accessible from the Internet, and can they be blocked. ;-o ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
> From: > So based on the response below how critical is it to implement > RRL via Bind RRL patch provided the servers resources are available? Even if I knew which server resources are at issue (I don't), I think you must decide for yourself whether to install RRL and if so, how urgently. > And where do I download this patch? See the links on http://www.redbarn.org/dns/ratelimits Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
What if both authoritative and recursive are running on the same server since RRL does not apply to recursive servers? Rohan On Fri, 3 May 2013 18:19:27 GMT Vernon Schryver wrote: >> From: > >> So based on the response below how critical is it to implement >> RRL via Bind RRL patch provided the servers resources are available? > >Even if I knew which server resources are at issue (I don't), I think >you must decide for yourself whether to install RRL and if so, how >urgently. > > >> And where do I download this patch? > >See the links on http://www.redbarn.org/dns/ratelimits > > >Vernon Schryverv...@rhyolite.com >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
Found the answer to below. According to isc-tn-2012-1.txt hybrid authority/recursive servers are out of scope. On Fri, 03 May 2013 13:44:01 -0500 wrote: >What if both authoritative and recursive are running on the same server since >RRL does not apply to recursive servers? > >Rohan > >On Fri, 3 May 2013 18:19:27 GMT > Vernon Schryver wrote: >>> From: >> >>> So based on the response below how critical is it to implement >>> RRL via Bind RRL patch provided the servers resources are available? >> >>Even if I knew which server resources are at issue (I don't), I think >>you must decide for yourself whether to install RRL and if so, how >>urgently. >> >> >>> And where do I download this patch? >> >>See the links on http://www.redbarn.org/dns/ratelimits >> >> >>Vernon Schryverv...@rhyolite.com >>___ >>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>from this list >> >>bind-users mailing list >>bind-users@lists.isc.org >>https://lists.isc.org/mailman/listinfo/bind-users >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
On 05/03/2013 11:44 AM, rohan.he...@cwjamaica.com wrote: What if both authoritative and recursive are running on the same server That's a simple answer, don't do that. Doug (ever) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
> From:
> >What if both authoritative and recursive are running on the same
> >server since RRL does not apply to recursive servers?
> Found the answer to below.
>
> According to isc-tn-2012-1.txt hybrid authority/recursive servers
> are out of scope.
I disagree. What isc-tn-2012-1.txt says is
Deliberately open recursive DNS
servers, or hybrid authority/recursive servers or server views, are
outside the scope of ***THIS DOCUMENT.*** (emphasis added)
Recursive servers should be closed instead of open to the Internet.
When a single BIND instance is used for both local recursive service
and global authoritative service, a good way to close the recursive
service to the Internet while providing authoritative service to the
Internet is with two views. The external view can disable recursion
and include a rate-limit{} statement to apply RRL to responses to
external DNS clients. Another way to close recursion to the Internet
is to use allow-recursion{address-match-list}; and
rate-limit{exempt-clients{address-match-list}}; statements in the main
options statement.
If you must keep your recursive server open, Internet, then you MUST
do some sort of rate limiting. If you cannot do rate limiting that
is even fancier than RRL such as Google's, then an open recursive
server with RRL is far better than a naked open recursive DNS server.
See https://developers.google.com/speed/public-dns/docs/security#rate_limit
The problem with RRL on recursive servers is that it works. Any rate
limiting sufficiently low to minimize the danger of DNS reflection DoS
attacks including RRL can affect applications such as web browsers and
SMTP servers (mail receivers) that send bursts of identical DNS requests.
With RRL, those effects are generally limited to pauses and slow downs
as affected applications time out and retry.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
Understood. I already have ACLs defined. So I can use
"rate-limit{exempt-clients{address-match-list}}; " statement to exclude my
client addresses from the RRL checks. Thanks.
Rohan
On Fri, 3 May 2013 20:13:47 GMT
Vernon Schryver wrote:
>> From:
>
>> >What if both authoritative and recursive are running on the same
>> >server since RRL does not apply to recursive servers?
>
>> Found the answer to below.
>>
>> According to isc-tn-2012-1.txt hybrid authority/recursive servers
>> are out of scope.
>
>I disagree. What isc-tn-2012-1.txt says is
> Deliberately open recursive DNS
> servers, or hybrid authority/recursive servers or server views, are
> outside the scope of ***THIS DOCUMENT.*** (emphasis added)
>
>Recursive servers should be closed instead of open to the Internet.
>When a single BIND instance is used for both local recursive service
>and global authoritative service, a good way to close the recursive
>service to the Internet while providing authoritative service to the
>Internet is with two views. The external view can disable recursion
>and include a rate-limit{} statement to apply RRL to responses to
>external DNS clients. Another way to close recursion to the Internet
>is to use allow-recursion{address-match-list}; and
>rate-limit{exempt-clients{address-match-list}}; statements in the main
>options statement.
>
>If you must keep your recursive server open, Internet, then you MUST
>do some sort of rate limiting. If you cannot do rate limiting that
>is even fancier than RRL such as Google's, then an open recursive
>server with RRL is far better than a naked open recursive DNS server.
>See https://developers.google.com/speed/public-dns/docs/security#rate_limit
>
>The problem with RRL on recursive servers is that it works. Any rate
>limiting sufficiently low to minimize the danger of DNS reflection DoS
>attacks including RRL can affect applications such as web browsers and
>SMTP servers (mail receivers) that send bursts of identical DNS requests.
>With RRL, those effects are generally limited to pauses and slow downs
>as affected applications time out and retry.
>
>
>Vernon Schryverv...@rhyolite.com
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
Rohan Henry
Server Administrator
Cable And Wireless Jamaica
Phone (876) 936-4819
Mobile (876) 997-0729
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL, Centos, Fedora rpm 9.9.2-p2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. There are two versions. 9.9.2-0.3.P2 is the original source code from isc.org 9.9.2-0.4.P2 adds the rrl patches from http://www.redbarn.org/dns/ratelimits -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlGEPVAACgkQL6j7milTFsE+KwCeMYyKmmHEhYyOFUb9C+ZA9NXL JYUAn1zYPkdo3uDWP5Wmn3y6d39FTkcx =bAeB -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
I was having same problem, i did place an IP tables rule 2013/4/30 Jose Manuel Delgado G. > I have isc.org attack."* isc.org internet *?".* It comes from my own > clients that I have allowed in my ACL. the question is how to stop this > attack? this causes my traffic on the interface is intense and also up my > cpu percentage. > that I can do to prevent it?? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
