[Pdns-users] Handling packet flood from one client.

Leen Besselink leen at wirehub.nl
Wed Jan 28 20:09:46 UTC 2009


On Wed, Jan 28, 2009 at 11:07:53AM -0800, Augie Schwer wrote:
> We discussed this on #powerdns a bit as it came up on the
> dns-operations list; the conclusion was that dropping the request was
> worse because it opened up spoofing attacks.  Thanks for the
> suggestion though.  --Augie
> 

Yes, that is the other problem. It's also a reason why I only drop
queries from those few IP's at work.

There is obviously an other problem with that which Paul Vixie already
mentioned on the NANOG mailinglist, which is if the targetted IP's are
actually resolvers, they wouldn't be able to query our nameservers.

Altough it's not really all that bad, first of all, the connection of
that IP-address is probably flooded, because of all the answers going
to that IP-address.

If that didn't happen and it really was a recursor, I think it would
be really easy to move the outgoing address to an other IP-address.

Because the people running that recursor very well know there are
people helping them, by blocking those questions.

All in all I think blocking just a few addresses isn't all that bad.

Beter is nagging your transit provider about it, because the source
network should do proper filtering.

That's something I started doing today, because it has been going on
for weeks now (it started in december somewhere). Someone should 
have noticed that traffic leaving some of these networks and fixing
it.

If not, they should atleast be notified.

Well that was my reasoning. :-)


More information about the Pdns-users mailing list