[RndTbl] DNS Amplification DoS
Paul Sierks
psierks at sierkstech.net
Mon Sep 17 16:04:56 CDT 2012
> On 2012-09-17 15:31, Sean Walberg wrote:
>> On Mon, Sep 17, 2012 at 3:28 PM, Paul Sierks <psierks at sierkstech.net
>> <mailto:psierks at sierkstech.net>> wrote:
>>
>> Sorry for any confusion, of which I'm sure I'm about to add to. But
>> this particular box doesn't have an internal network, just one
>> interface on the internet. Also I think a lot of the problem in my
>> case is the allowed IP addresses change on a regular basis, quite
>> often.
>
> Paul, are you saying that your "allowed" IP addresses are just out
> there on the Internet at large, and not on an internal network? In
> that case, I'd have to agree with Sean:
Yes, Exactly.
>
>> Then I think we're back at Gille's original response -- don't do it! :)
>> There are many better public DNS servers out there, such as Google/s
>> 8.8.8.8 and 8.8.4.4.
>
>> Failing that, mitigate the risk with an iptables filter to prevent your
>> host from being the source of the DDOS.
>
> That would be a good strategy, but you have to set this up carefully
> to make sure you're not interfering with normal DNS activity. You
> might be able to cobble something together, e.g. using the "recent"
> module, but setting thresholds might be tricky.
>
> Sean, do you have a working iptables example that you've used? I've
> used the "recent" module on services like SSH, POP, and IMAP, but not
> for DNS.
>
Ok, I will have to get a rule or two put together, if there's anyone
that uses one already that wouldn't mind sharing that would be great
too. I'm also curious now how the other open resolvers on the internet
do it safely :S
More information about the Roundtable
mailing list