|FROM ||Ruben Safir
|SUBJECT ||Subject: [NYLXS - HANGOUT] [email@example.com: Re: BIND options]
|From owner-hangout-outgoing-at-mrbrklyn.com Sat Mar 30 21:01:43 2013
Received: by mrbrklyn.com (Postfix)
id 3FF13161C93; Sat, 30 Mar 2013 21:01:43 -0400 (EDT)
Received: by mrbrklyn.com (Postfix, from userid 28)
id 2F3A8161C9D; Sat, 30 Mar 2013 21:01:43 -0400 (EDT)
Received: from mailbackend.panix.com (mailbackend.panix.com [184.108.40.206])
by mrbrklyn.com (Postfix) with ESMTP id 96FE6161C93
for ; Sat, 30 Mar 2013 21:01:42 -0400 (EDT)
Received: from panix2.panix.com (panix2.panix.com [220.127.116.11])
by mailbackend.panix.com (Postfix) with ESMTP id BC94634F66
for ; Sat, 30 Mar 2013 21:01:41 -0400 (EDT)
Received: by panix2.panix.com (Postfix, from userid 20529)
id AA33433C8C; Sat, 30 Mar 2013 21:01:41 -0400 (EDT)
Date: Sat, 30 Mar 2013 21:01:41 -0400
From: Ruben Safir
Subject: [NYLXS - HANGOUT] [rick-at-linuxmafia.com: Re: BIND options]
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.5.20 (2009-06-14)
> This is from one of the include files of my BIND configuration.
> You could put it into /etc/bind/named.conf . (18.104.22.168/29
> is my public IP netblock.)
About the Spamhaus attacks: They are made possible by one majorly bad
thing and one minorly bad one.
Majorly bad: ISPs and backbone providers not bothering to do ingress
filtering at their BGP routers. Explanation: It should not be possible
to route a forged IP packet across backbones, because router operators
should reject/drop packets claiming to come from impossible IPs (that
are not valid arriving on that interface). This isn't brain-surgery
and is basic quality-control. And yet, apparently some of these guys
do only egress filtering. Bad! Stupid!
Minorly bad: People operating 'open' recursive DNS resolvers who do not
need to, and who are not ready/willing/able to do their own ingress
filtering (which is in practice feasible only to peering ISPs running
BGP), or at least rate filtering/monitoring.
Minorly bad (variant): SOHO gateways and WAPs with embedded Linux or
BSD or similar distros often have DNS forwarder software (dproxy or
Dnsmasq) that is often misconfigured to answer queries arriving on the
public-facing interface. Those queries are then forwarded to recursive
DNS resolvers as detailed in the prior paragraph.
The two of those things (major and minor) jointly permit abusing other
people recursive nameservers as attack reflectors, very efficiently
because most DNS is done using UDP hence damned near zero overhead and
no handshake checking.
In fact, it's not only an efficient form of attack but also offers
amplification via some means I do not yet fully understand where the bad
guys' 10 bytes of DNS query with a forged source IP generated 1000 bytes
of return value, or 100x amplification factor.
I'll eventually read more about the technical details of these DDoS
attacks. Unfortunately, most of what's written on the subject is
either rubbish or vague.