[Pdns-users] TCP amplification attack notes

Brian Candler b.candler at pobox.com
Sun Aug 18 09:59:41 UTC 2019


On 18/08/2019 04:14, Mike wrote:
>      I wanted to point out that I observed the same thing occuring
> against my PowerDNS resolvers - I would get a low rate of TCP SYN's in
> to port 53, the resolver would attempt to SYN-ACK these several times
> without success, and then a new SYN would come in, starting the process
> over again, so there is a small gain in amplification here but not like
> ssdp or memcached for example.

Thank you, that's very useful information.

How low is "low rate" - that is, typically how many sockets are in 
SYN_RECV state?

I am wondering if there would be any benefit trying to enable SYN 
cookies with a low threshold (esp. on authoritative servers where you 
can't block by source IP)



More information about the Pdns-users mailing list