[nycbug-talk] dns abuse

[Yarema]

Max Gribov wrote:
> Yarema wrote:
>> Am I correct in interpreting that since
>> a) my DNS servers return nothing when queried for "."
>>   
> yup, i tried to query your server for the root zone and it times out.
> as long as you know your server replies properly to legitimate
> authoritative queries, you should be good
> 
>> b) the throttling option allows only one state per src IP
>>   
> yes, which i believe should be defined by
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> in pf.conf -- i did not experiment and totally assume this off the top
> of my head though
> 
>> c) given the above two states show only one packet of 45 bytes
>> then it means I'm creating one state from the spoofed address, receiving
>> the single 45 byte query packet and retuning nothing, thus not
>> contributing to the DDoS, right?
>>   
> yup, as long as you arent returning the full root zone, you arent really
> contributing to the attack.
> 
> as andy said though, because of the way dns and udp work, amplification
> attacks are very simple to do.
> downloading a full zone, such as the root zone, is a more efficient
> attack than spoofing a reply for ip of www.yahoo.com, but given enough
> spoofed requests for www.yahoo.com its probably also possible to ddos
> someone..

Thanks, man.  I just wanned to confirm I got my config buttoned down.
Seems like I was never contributing to the DDoS, but without the
max-src-states option you proposed it looked to me like _I_ was getting
DDoSed cuz of the load it was putting on my authoritative server.  Great
solution to the problem at hand.  You ought to post it on the ISC page
about the attack, since you came up with it.