[dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic

Remi Gacogne remi.gacogne at powerdns.com
Tue Jan 9 08:37:42 UTC 2024 

Hi!

On 08/01/2024 23:08, Klaus Darilion wrote:
>> This is unfortunately a common issue indeed these days. It is possible
>> to use dnsdist to detect and mitigate these attacks to a certain extent,
>> using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule
>> [1] or the FFI equivalent for better performance. It requires writing a
>> bit of Lua code and some tuning on top of dnsdist, but all the building
>> blocks are there already. We have implemented this for several customers
>> and they are happy with the results.
> 
> How does this work in detail? Does your implementation block only the queries for <random>.example.com or also "normal" queries like www.example.com or example.com MX? Or do you explicitly allow common subdomains before blocking everything else?

It really depends on the actual implementation in Lua. Currently when 
DynBlockRulesGroup:setSuffixMatchRule() is used it will insert a dynamic 
block for the suffix that is detected as being attacked, which will 
indeed apply to "normal" queries like www.example.com or example.com MX 
as well, although it's possible to allow-list specific suffixes, or to 
prevent blocking suffixes with not enough labels, for example.
We will be implementing the ability to instead route the detected suffix 
to a different pool soon, as suggested by Jacob in [1].

> Blocking all queries to the attacked domain prevents collateral damage, but causes a DoS to the attacked domain and makes the customer of the attacked domain unhappy.

I fully agree, and we are working on having smarter mitigations in 
dnsdist to only drops/truncate/route to a different pool queries that 
are very likely to be part of a PRSD/enumeration attack.
Of course it's easier when the backend can handle the load, which is one 
of the reasons why the LMDB backend has been implemented, along with 
lightningstream :)

[1]: https://github.com/PowerDNS/pdns/issues/13374

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240109/0660b984/attachment-0001.sig>

More information about the dnsdist mailing list