Package: bind9 Severity: important With the grown deployment of DNSSEC and more information being put into the domain name system, DNS servers have become and are becoming a useful tool for denial of service attacks by providing amplification: a single UDP packet of only a few bytes causes a response many times the size of the query.
An adversary can use this effect to either cause a huge amount of traffic to flow towards their target site (by faking the source address of requests), or to cause a nameserver to effectively DoS itself by filling up its outbound pipe with only a couple thousand requests per second, costing very little in bandwidth for the adversary. Vernon Schryver, Paul Vixie, et al have been working on bringing (response) rate limiting to nameservers. Such a feature enables the admin of an authoritative nameserver to limit responses in the face of their server being abused. The particular patchset for bind, linked from [1], is able to enforce limits per requested name/type/source address tuple, and can fallback to sending clients a tiny retry-using-TCP packet. The intent is to make the server useless as an amplifier while not breaking resolving for anyone. Debian admin has deployed the patch at [2] to the bind running the debian.org nameservers - else debian.org's nameservers would not have any resources left to answer legitimate queries. We think it important that the bind version Debian ships be actually useable by the internet community in general, and ourselves in particular. Therefore we ask you (and the release folks) to consider shipping wheezy's bind with the rate limiting patches applied. Thanks for your consideration, weasel 1. http://www.redbarn.org/dns/ratelimits 2. http://ss.vix.su/~vjs/rpz2+rl-9.8.4-P1.patch -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
