MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: fossxplorer on 2017-04-29, 13:04:49

Title: Responce Rate Limiting in DNS to mitigate DNS amplicaiton attacks
Post by: fossxplorer on 2017-04-29, 13:04:49
Ref https://www.us-cert.gov/ncas/alerts/TA13-088A and https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html.

Since Kloxo-MR is running authoritative DNS servers, need to add:

          rate-limit {
              responses-per-second 10/5 or other reasonable values;
          };
to options in /opt/configs/bind/conf/defaults/named.options.conf.

What do you think @mustafa


Title: Re: Responce Rate Limiting in DNS to mitigate DNS amplicaiton attacks
Post by: MRatWork on 2017-04-29, 13:17:12
Kloxo-MR still using bind 9.9.9 version.
Title: Re: Responce Rate Limiting in DNS to mitigate DNS amplicaiton attacks
Post by: fossxplorer on 2017-04-29, 14:28:04
I tested in CentOS 7 & Kloxo-MR, since Redhat has patched Bind, it works:
 I appended the following to /opt/configs/bind/conf/defaults/named.options.conf right above logging {..
rate-limit {
    responses-per-second 5;
    window 5;
};

[root@kloxomrc7_01 csf]# systemctl reload named
Seems not to complain about anything.
Title: Re: Responce Rate Limiting in DNS to mitigate DNS amplicaiton attacks
Post by: MRatWork on 2017-04-29, 14:53:06
I will add in next update.
Title: Re: Responce Rate Limiting in DNS to mitigate DNS amplicaiton attacks
Post by: fossxplorer on 2017-05-01, 18:17:55
Awesome, it's included:
https://github.com/mustafaramadhan/kloxo/commit/aac99f42761265fa6f254986cea1f9c4dc2046e5