[RndTbl] DNS Amplification DoS
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Mon Sep 17 15:55:38 CDT 2012
On 2012-09-17 15:31, Sean Walberg wrote:
> On Mon, Sep 17, 2012 at 3:28 PM, Paul Sierks <psierks at sierkstech.net
> <mailto:psierks at sierkstech.net>> wrote:
>
> Sorry for any confusion, of which I'm sure I'm about to add to. But
> this particular box doesn't have an internal network, just one
> interface on the internet. Also I think a lot of the problem in my
> case is the allowed IP addresses change on a regular basis, quite often.
Paul, are you saying that your "allowed" IP addresses are just out there
on the Internet at large, and not on an internal network? In that case,
I'd have to agree with Sean:
> Then I think we're back at Gille's original response -- don't do it! :)
> There are many better public DNS servers out there, such as Google/s
> 8.8.8.8 and 8.8.4.4.
> Failing that, mitigate the risk with an iptables filter to prevent your
> host from being the source of the DDOS.
That would be a good strategy, but you have to set this up carefully to
make sure you're not interfering with normal DNS activity. You might be
able to cobble something together, e.g. using the "recent" module, but
setting thresholds might be tricky.
Sean, do you have a working iptables example that you've used? I've
used the "recent" module on services like SSH, POP, and IMAP, but not
for DNS.
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list