[Pdns-users] TCP amplification attack notes

[Mike]

Hello,

    Over in the NANOG group there is a current discussion concerning an
ongoing, low-volume TCP amplification attack using spoofed addresses
from NL netblocks.

    I wanted to point out that I observed the same thing occuring
against my PowerDNS resolvers - I would get a low rate of TCP SYN's in
to port 53, the resolver would attempt to SYN-ACK these several times
without success, and then a new SYN would come in, starting the process
over again, so there is a small gain in amplification here but not like
ssdp or memcached for example.

    The only point I wanted to make was that, I see now, despite having
set the allowed-networks (allow-from-file=) with only my client ip
ranges listed, this is not actually a packet filter and the connection
stage of tcp is going to still progress before PowerDNS recursor does an
accept() and then applies the ACL and refuses any query. I think other
people may also make this same mistake believing the allow-from
parameter acts like a packet filter when in fact it does not.

    As much as I loved allow-from-file=, I reworked my firewall per
recursor host to read that file and implement an ipset which does in
fact drop everything not originating from my client addresses. I think I
would only suggest perhaps a documentation change to point out that
allow-from / allow-from-file is not a packet filter and that tcp
connections will still be accept()'d before being dropped or query
refused, with a strong suggestion of a packet level firewall for the
more security minded.

    Kick ass software just the same, thank you so much.


MIke-