[dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic
Remi Gacogne
remi.gacogne at powerdns.com
Tue Jan 9 08:37:42 UTC 2024
Hi!
On 08/01/2024 23:08, Klaus Darilion wrote:
>> This is unfortunately a common issue indeed these days. It is possible
>> to use dnsdist to detect and mitigate these attacks to a certain extent,
>> using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule
>> [1] or the FFI equivalent for better performance. It requires writing a
>> bit of Lua code and some tuning on top of dnsdist, but all the building
>> blocks are there already. We have implemented this for several customers
>> and they are happy with the results.
>
> How does this work in detail? Does your implementation block only the queries for <random>.example.com or also "normal" queries like www.example.com or example.com MX? Or do you explicitly allow common subdomains before blocking everything else?
It really depends on the actual implementation in Lua. Currently when
DynBlockRulesGroup:setSuffixMatchRule() is used it will insert a dynamic
block for the suffix that is detected as being attacked, which will
indeed apply to "normal" queries like www.example.com or example.com MX
as well, although it's possible to allow-list specific suffixes, or to
prevent blocking suffixes with not enough labels, for example.
We will be implementing the ability to instead route the detected suffix
to a different pool soon, as suggested by Jacob in [1].
> Blocking all queries to the attacked domain prevents collateral damage, but causes a DoS to the attacked domain and makes the customer of the attacked domain unhappy.
I fully agree, and we are working on having smarter mitigations in
dnsdist to only drops/truncate/route to a different pool queries that
are very likely to be part of a PRSD/enumeration attack.
Of course it's easier when the backend can handle the load, which is one
of the reasons why the LMDB backend has been implemented, along with
lightningstream :)
[1]: https://github.com/PowerDNS/pdns/issues/13374
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240109/0660b984/attachment-0001.sig>
More information about the dnsdist
mailing list