Re: Bind recursive queries quota.

From: Guanglong Zhang (glzhangat_private)
Date: Fri Jul 19 2002 - 18:56:25 PDT

Next message: David Wagner: "Re: Lindows Issues"

Previous message: FozZy: "Re: Linux kernel setgid implementation flaw"
In reply to: Robert Buckley: "Bind recursive queries quota."
Next in thread: Thomas Cannon: "Re: Bind recursive queries quota."
Reply: Thomas Cannon: "Re: Bind recursive queries quota."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Robert,

Hm....，I meet the same problem of bind9 recursive queries DOS.
Does anyone have solution?

Saturday, July 20, 2002, 1:27:19 AM, you wrote:
Robert Buckley> Howdy,
Robert Buckley> Does anyone have any information about exploiting binds recursive
Robert Buckley> queries [num] limitation.
Robert Buckley> One of our clients decided to do a very intensive WebTrends report, which (
Robert Buckley> I assume ) had an option to do
Robert Buckley> dns lookups. We use a Cisco pix on the border, with 2 external and 2
Robert Buckley> internal bind 9 systems.

Robert Buckley> The Cisco pix contains a feature called a DNS-GUARD that will prevent the
Robert Buckley> same query being answered twice.
Robert Buckley> Another words, the 1st guy to come back with the answer to a query is let
Robert Buckley> in, anyone else is denied.

Robert Buckley> Our firewall logs showed inbound denials from our two externals had
Robert Buckley> increased 196.x times more than normal.
Robert Buckley> AVG 400 or so to about 60 thousands plus. An investigation showed that one
Robert Buckley> single client ( The Web Trends Guy) was slamming our internal servers with
Robert Buckley> queries.
Robert Buckley> Our logging on our dns servers showed. Client Recusive Queries Quota
Robert Buckley> Reached.

Robert Buckley> According to some research we've done, a bind server will stop answering
Robert Buckley> queries if it has the default value of 100 unanswered queries in memory.
Robert Buckley> Of course this value can be increased via an option. It seemed to me that
Robert Buckley> this type of abuse from the webtrends app, nearly caused a denial of service
Robert Buckley> on our dns.

Robert Buckley> IMO, it would be trivial to write something to to ask 100 bogus queries that
Robert Buckley> dont get answered in time.
Robert Buckley> Anyone have a similiar experience or security information on this?

--
James Zhang
Manager,T.S.Dept. Marsec System Mobile: 13910526162
Office: +8610-88087212-3004 FAX: +8610-88087300
http://www.babygoal.com Email: glzhangat_private
PGP Public key:
ftp://ftp.babygoal.com/pub/pgpkey/glzhang.8848.net.asc

Next message: David Wagner: "Re: Lindows Issues"
Previous message: FozZy: "Re: Linux kernel setgid implementation flaw"
In reply to: Robert Buckley: "Bind recursive queries quota."
Next in thread: Thomas Cannon: "Re: Bind recursive queries quota."
Reply: Thomas Cannon: "Re: Bind recursive queries quota."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 19:22:40 PDT