From bert.hubert at netherlabs.nl Thu Apr 3 08:17:43 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 3 Apr 2014 10:17:43 +0200 Subject: [Pdns-announce] Further DoS guidance, packages and patches available Message-ID: <20140403081742.GA7512@xs.powerdns.com> Hi everybody, Sadly, further DoS attacks are plaguing the world of DNS, which is bad both for the targets of those DoS attacks, but also for us DNS operators that help originate them. This post has guidance on how to make sure your PowerDNS Recursor mitigates the current attacks. If you are under attack and need help, we're there for you, and feel free to contact us on powerdns.support at powerdns.com. * The attack A current pattern of attacks is to register a domain with lots of 'nameservers', and then get botnets to create queries for those nameservers. Resolvers around the world then barage these 'nameservers' with queries. And of course, these nameservers aren't nameservers, they simply are targets of a DoS attack. By crafting things just so, this creates a powerful packet amplifier, with one botnet packet turning into many many packets to the targets of the attack. Some further details are on http://dnsamplificationattacks.blogspot.nl/2014/02/authoritative-name-server-attack.html * What we can do about it Although PowerDNS already checks if a server might be down, and will limit how often it queries it, this limitation does not stand up to the random nature of these attacks. DoS victim Paulo Anes has contributed a filter that can agressively filter out queries to dead servers, it is described in https://github.com/PowerDNS/pdns/pull/1300 Thank you Paulo! We've since deployed this filter in many places, and it works VERY well against the current attacks. We recommend setting server-down-max-fails=32 for most servers, and server-down-max-fails=16 if under heavy attack. Additionally, please make sure to read http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ for how to properly size your operating system for dealing with incoming attacks. * How can I get this filter? The filter is not yet part of a released PowerDNS Recursor version. However, the following PowerDNS Recursor packages/sources are of production quality, and will in any case fare better than 3.5.3: https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_amd64.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.x86_64.rpm https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_i386.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.i386.rpm https://autotest.powerdns.com/job/recursor-git/1151/artifact/pdns/pdns-recursor-git-20140402-1151-cc08b5a.tar.bz2 https://www.monshouwer.eu/download/3rd_party/pdns-recursor/git/ has RHEL/CentOS native packages as well. * When will PowerDNS do a release version with this filter? Soon. * Further questions If you have further questions, or are currently under attack and need help, please feel free to contact powerdns.support at powerdns.com. Kind regards, Bert PowerDNS -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 From bert.hubert at netherlabs.nl Thu Apr 3 08:17:43 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 3 Apr 2014 10:17:43 +0200 Subject: [Pdns-announce] Further DoS guidance, packages and patches available Message-ID: <20140403081742.GA7512@xs.powerdns.com> Hi everybody, Sadly, further DoS attacks are plaguing the world of DNS, which is bad both for the targets of those DoS attacks, but also for us DNS operators that help originate them. This post has guidance on how to make sure your PowerDNS Recursor mitigates the current attacks. If you are under attack and need help, we're there for you, and feel free to contact us on powerdns.support at powerdns.com. * The attack A current pattern of attacks is to register a domain with lots of 'nameservers', and then get botnets to create queries for those nameservers. Resolvers around the world then barage these 'nameservers' with queries. And of course, these nameservers aren't nameservers, they simply are targets of a DoS attack. By crafting things just so, this creates a powerful packet amplifier, with one botnet packet turning into many many packets to the targets of the attack. Some further details are on http://dnsamplificationattacks.blogspot.nl/2014/02/authoritative-name-server-attack.html * What we can do about it Although PowerDNS already checks if a server might be down, and will limit how often it queries it, this limitation does not stand up to the random nature of these attacks. DoS victim Paulo Anes has contributed a filter that can agressively filter out queries to dead servers, it is described in https://github.com/PowerDNS/pdns/pull/1300 Thank you Paulo! We've since deployed this filter in many places, and it works VERY well against the current attacks. We recommend setting server-down-max-fails=32 for most servers, and server-down-max-fails=16 if under heavy attack. Additionally, please make sure to read http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ for how to properly size your operating system for dealing with incoming attacks. * How can I get this filter? The filter is not yet part of a released PowerDNS Recursor version. However, the following PowerDNS Recursor packages/sources are of production quality, and will in any case fare better than 3.5.3: https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_amd64.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.x86_64.rpm https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_i386.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.i386.rpm https://autotest.powerdns.com/job/recursor-git/1151/artifact/pdns/pdns-recursor-git-20140402-1151-cc08b5a.tar.bz2 https://www.monshouwer.eu/download/3rd_party/pdns-recursor/git/ has RHEL/CentOS native packages as well. * When will PowerDNS do a release version with this filter? Soon. * Further questions If you have further questions, or are currently under attack and need help, please feel free to contact powerdns.support at powerdns.com. Kind regards, Bert PowerDNS -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 From bert.hubert at netherlabs.nl Thu Apr 3 08:17:43 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 3 Apr 2014 10:17:43 +0200 Subject: [Pdns-announce] Further DoS guidance, packages and patches available Message-ID: <20140403081742.GA7512@xs.powerdns.com> Hi everybody, Sadly, further DoS attacks are plaguing the world of DNS, which is bad both for the targets of those DoS attacks, but also for us DNS operators that help originate them. This post has guidance on how to make sure your PowerDNS Recursor mitigates the current attacks. If you are under attack and need help, we're there for you, and feel free to contact us on powerdns.support at powerdns.com. * The attack A current pattern of attacks is to register a domain with lots of 'nameservers', and then get botnets to create queries for those nameservers. Resolvers around the world then barage these 'nameservers' with queries. And of course, these nameservers aren't nameservers, they simply are targets of a DoS attack. By crafting things just so, this creates a powerful packet amplifier, with one botnet packet turning into many many packets to the targets of the attack. Some further details are on http://dnsamplificationattacks.blogspot.nl/2014/02/authoritative-name-server-attack.html * What we can do about it Although PowerDNS already checks if a server might be down, and will limit how often it queries it, this limitation does not stand up to the random nature of these attacks. DoS victim Paulo Anes has contributed a filter that can agressively filter out queries to dead servers, it is described in https://github.com/PowerDNS/pdns/pull/1300 Thank you Paulo! We've since deployed this filter in many places, and it works VERY well against the current attacks. We recommend setting server-down-max-fails=32 for most servers, and server-down-max-fails=16 if under heavy attack. Additionally, please make sure to read http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ for how to properly size your operating system for dealing with incoming attacks. * How can I get this filter? The filter is not yet part of a released PowerDNS Recursor version. However, the following PowerDNS Recursor packages/sources are of production quality, and will in any case fare better than 3.5.3: https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_amd64.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.x86_64.rpm https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_i386.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.i386.rpm https://autotest.powerdns.com/job/recursor-git/1151/artifact/pdns/pdns-recursor-git-20140402-1151-cc08b5a.tar.bz2 https://www.monshouwer.eu/download/3rd_party/pdns-recursor/git/ has RHEL/CentOS native packages as well. * When will PowerDNS do a release version with this filter? Soon. * Further questions If you have further questions, or are currently under attack and need help, please feel free to contact powerdns.support at powerdns.com. Kind regards, Bert PowerDNS -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 From bert.hubert at netherlabs.nl Thu Apr 3 08:17:43 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 3 Apr 2014 10:17:43 +0200 Subject: [Pdns-announce] Further DoS guidance, packages and patches available Message-ID: <20140403081742.GA7512@xs.powerdns.com> Hi everybody, Sadly, further DoS attacks are plaguing the world of DNS, which is bad both for the targets of those DoS attacks, but also for us DNS operators that help originate them. This post has guidance on how to make sure your PowerDNS Recursor mitigates the current attacks. If you are under attack and need help, we're there for you, and feel free to contact us on powerdns.support at powerdns.com. * The attack A current pattern of attacks is to register a domain with lots of 'nameservers', and then get botnets to create queries for those nameservers. Resolvers around the world then barage these 'nameservers' with queries. And of course, these nameservers aren't nameservers, they simply are targets of a DoS attack. By crafting things just so, this creates a powerful packet amplifier, with one botnet packet turning into many many packets to the targets of the attack. Some further details are on http://dnsamplificationattacks.blogspot.nl/2014/02/authoritative-name-server-attack.html * What we can do about it Although PowerDNS already checks if a server might be down, and will limit how often it queries it, this limitation does not stand up to the random nature of these attacks. DoS victim Paulo Anes has contributed a filter that can agressively filter out queries to dead servers, it is described in https://github.com/PowerDNS/pdns/pull/1300 Thank you Paulo! We've since deployed this filter in many places, and it works VERY well against the current attacks. We recommend setting server-down-max-fails=32 for most servers, and server-down-max-fails=16 if under heavy attack. Additionally, please make sure to read http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ for how to properly size your operating system for dealing with incoming attacks. * How can I get this filter? The filter is not yet part of a released PowerDNS Recursor version. However, the following PowerDNS Recursor packages/sources are of production quality, and will in any case fare better than 3.5.3: https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_amd64.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-amd64/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.x86_64.rpm https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor_0.0-git-20140402-1151-cc08b5a-1_i386.deb https://autotest.powerdns.com/job/recursor-git-semistatic-pkgs-i386/789/artifact/pdns-recursor-0.0.20140402_1151_cc08b5a-1.i386.rpm https://autotest.powerdns.com/job/recursor-git/1151/artifact/pdns/pdns-recursor-git-20140402-1151-cc08b5a.tar.bz2 https://www.monshouwer.eu/download/3rd_party/pdns-recursor/git/ has RHEL/CentOS native packages as well. * When will PowerDNS do a release version with this filter? Soon. * Further questions If you have further questions, or are currently under attack and need help, please feel free to contact powerdns.support at powerdns.com. Kind regards, Bert PowerDNS -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372