Hi, Am 19.03.2014 20:43, schrieb Florian Weimer: > * Benny Baumann: > >> The attached patch ports the original patch by Lutz Donnerhacke to >> apply on the latest package version from Git. >> >> Please include in Debian and convince upstream to follow if >> possible. TIA. > I don't think it's a good idea to have this as a local patch. Having this patch locally in Debian is still better than not having it at all. That's why I in particular also asked to convince upstream to include this patch. Thus if you could do me this favour. ;-) > In any case, isn't the real problem that packets with a spoofed source > address can reach your name server? Nope. Not any less with any other UDP-based protocol. The problem with DNS amplification is that there are enough situations where you simply can't guarantee that the origin address of a packet is legit. Even on a local LAN I could easily abuse the features of DNS to DoS any host.
So the actual problem is that the server keeps responding even if it can be easily detected that - given common sense in reasoning - a legit client would never ask 10k times for the same domain within one second. And that's exactly what this patch mitigates: By keeping track of a kudos counter per client/subnet (depending on configuration) the server can detect mal-performing clients and stop responding until the ill behaviour has stopped. More details (in German, but Google is your friend) can be found at - https://lutz.donnerhacke.de/Blog/DNS-Dampening - https://lutz.donnerhacke.de/Blog/DNS-Dampening-unter-der-Lupe - https://lutz.donnerhacke.de/Blog/Dampening-oder-RRL-Was-hilft - https://lutz.donnerhacke.de/Blog/DNS-Dampening-in-aktuellen-BINDs And before complaining about German-only links - here's some English papers telling the exact same story: - http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf The patch is maintained by Wilfried Klaebe and me at - https://github.com/wklaebe/bind9 And before you ask: Given the comparison of RRL (which upstream Bind has) and DNS Dampening (which is added by this patch) I see nearly NO effect using RRL on various typical attacks while DNS Dampening kills most attacks within the first few packets. The Internet is inherently untrustworthy in regards to who is sending you packets. Thus securing the internet is not only about keeping your box safe, but also about protecting the boxes of others from the behaviour of your box. And THIS patch is doing exactly this. Kind regards, Benny Baumann
signature.asc
Description: OpenPGP digital signature
