Feature request: -disable-any-meta-query-type dns amplification attacks

classic Classic list List threaded Threaded
1 message Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Feature request: -disable-any-meta-query-type dns amplification attacks

Josh Sanders

Hello,

I just want to share this info for blocking dns amplification attacks

http://wiki.opennicproject.org/Tier2Security
https://gist.github.com/guerrerocarlos/5171614
http://www.junkemailfilter.com/blog/2013/03/03/how-to-block-dns-amplification-attack-isc-org-any-attack/

Merry Christmas !




On Fri, Dec 18, 2015 at 3:21 PM, Josh Sanders <[hidden email]> wrote:
Thanks for your reply Bert,

I am trying the iptables rules for stopping "questions"
-m string --hex-string "|0000ff0001|"  and not allowing
to overload my small DNSs.



On Fri, Dec 18, 2015 at 3:01 PM, bert hubert <[hidden email]> wrote:
On Fri, Dec 18, 2015 at 02:50:22PM -0600, Josh Sanders wrote:
> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
> packetcache MISS
>
> As you may see, 'any-to-tcp=yes' seems to be not working so far ...

Can you tcpdump? They could simply be sking the question, doesn't mean they
have to *respect* your TC=1 answer. Since that is all we can do, set TC=1.
It does not stop the questions!

We do provide a really small answer that way, which stops the amplification
from working.

        Bert





_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Loading...