[RndTbl] DNS Amplification DoS

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Mon Sep 17 15:55:38 CDT 2012


On 2012-09-17 15:31, Sean Walberg wrote:
> On Mon, Sep 17, 2012 at 3:28 PM, Paul Sierks <psierks at sierkstech.net
> <mailto:psierks at sierkstech.net>> wrote:
>
>     Sorry for any confusion, of which I'm sure I'm about to add to. But
>     this particular box doesn't have an internal network, just one
>     interface on the internet. Also I think a lot of the problem in my
>     case is the allowed IP addresses change on a regular basis, quite often.

Paul, are you saying that your "allowed" IP addresses are just out there 
on the Internet at large, and not on an internal network?  In that case, 
I'd have to agree with Sean:

> Then I think we're back at Gille's original response -- don't do it! :)
> There are many better public DNS servers out there, such as Google/s
> 8.8.8.8 and 8.8.4.4.

> Failing that, mitigate the risk with an iptables filter to prevent your
> host from being the source of the DDOS.

That would be a good strategy, but you have to set this up carefully to 
make sure you're not interfering with normal DNS activity.  You might be 
able to cobble something together, e.g. using the "recent" module, but 
setting thresholds might be tricky.

Sean, do you have a working iptables example that you've used?  I've 
used the "recent" module on services like SSH, POP, and IMAP, but not 
for DNS.

-- 
Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609


More information about the Roundtable mailing list