Hello, Over in the NANOG group there is a current discussion concerning an ongoing, low-volume TCP amplification attack using spoofed addresses from NL netblocks.
I wanted to point out that I observed the same thing occuring against my PowerDNS resolvers - I would get a low rate of TCP SYN's in to port 53, the resolver would attempt to SYN-ACK these several times without success, and then a new SYN would come in, starting the process over again, so there is a small gain in amplification here but not like ssdp or memcached for example. The only point I wanted to make was that, I see now, despite having set the allowed-networks (allow-from-file=) with only my client ip ranges listed, this is not actually a packet filter and the connection stage of tcp is going to still progress before PowerDNS recursor does an accept() and then applies the ACL and refuses any query. I think other people may also make this same mistake believing the allow-from parameter acts like a packet filter when in fact it does not. As much as I loved allow-from-file=, I reworked my firewall per recursor host to read that file and implement an ipset which does in fact drop everything not originating from my client addresses. I think I would only suggest perhaps a documentation change to point out that allow-from / allow-from-file is not a packet filter and that tcp connections will still be accept()'d before being dropped or query refused, with a strong suggestion of a packet level firewall for the more security minded. Kick ass software just the same, thank you so much. MIke- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
