Hello Robert, Hm....£¬I meet the same problem of bind9 recursive queries DOS. Does anyone have solution? Saturday, July 20, 2002, 1:27:19 AM, you wrote: Robert Buckley> Howdy, Robert Buckley> Does anyone have any information about exploiting binds recursive Robert Buckley> queries [num] limitation. Robert Buckley> One of our clients decided to do a very intensive WebTrends report, which ( Robert Buckley> I assume ) had an option to do Robert Buckley> dns lookups. We use a Cisco pix on the border, with 2 external and 2 Robert Buckley> internal bind 9 systems. Robert Buckley> The Cisco pix contains a feature called a DNS-GUARD that will prevent the Robert Buckley> same query being answered twice. Robert Buckley> Another words, the 1st guy to come back with the answer to a query is let Robert Buckley> in, anyone else is denied. Robert Buckley> Our firewall logs showed inbound denials from our two externals had Robert Buckley> increased 196.x times more than normal. Robert Buckley> AVG 400 or so to about 60 thousands plus. An investigation showed that one Robert Buckley> single client ( The Web Trends Guy) was slamming our internal servers with Robert Buckley> queries. Robert Buckley> Our logging on our dns servers showed. Client Recusive Queries Quota Robert Buckley> Reached. Robert Buckley> According to some research we've done, a bind server will stop answering Robert Buckley> queries if it has the default value of 100 unanswered queries in memory. Robert Buckley> Of course this value can be increased via an option. It seemed to me that Robert Buckley> this type of abuse from the webtrends app, nearly caused a denial of service Robert Buckley> on our dns. Robert Buckley> IMO, it would be trivial to write something to to ask 100 bogus queries that Robert Buckley> dont get answered in time. Robert Buckley> Anyone have a similiar experience or security information on this? -- James Zhang Manager,T.S.Dept. Marsec System Mobile: 13910526162 Office: +8610-88087212-3004 FAX: +8610-88087300 http://www.babygoal.com Email: glzhangat_private PGP Public key: ftp://ftp.babygoal.com/pub/pgpkey/glzhang.8848.net.asc
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 19:22:40 PDT