[Pdns-users] DDos Reflector

Leen Besselink leen at wirehub.nl
Mon Jan 19 21:01:12 UTC 2009


Christof Meerwald wrote:
> Hi,
> 
> since about Friday late evening I am seeing lots of pdns errors in my syslog
> like:
> 
>   Not authoritative for '', sending servfail to 76.9.31.42 (recursion was
>   desired)
> 
> Over in comp.protocols.dns.bind there is already some discussion about these
> DNS requests (which apparently use a spoofed source IP address).
> 
> Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS
> reflector, like rate-limiting SERVFAILs per IP address? What's the general
> opinion?
> 

The idea of the DOS-attack is to try and get the authoritive or public 
recursive nameserver to send a larger amount of packets or size then the 
original request. PowerDNS (atleast the installations I checked) doesn't
do that, it just sends a ServFail of the pretty much the same size.

Other then dropping the packet with a firewall-rule as I have (that 
IP-address specifically, I actually will remove it after it has stopped 
!) I don't think there is a lot you could do. Maybe someone could 
implement some kind of rules in PowerDNS to, again not answer this
query specifically. But well, that would just be wrong and make it
easier to make a DNS cache poisoning attack at some recursor more effective.

Only other thing I can think about is, that maybe a rate limiter
could be kinda useful.

As I've mentioned in other fora, people should just filter their
egress traffic from spoofed addresses, that would get rid of the
whole problem.

> 
> Christof
> 



More information about the Pdns-users mailing list