November 26, 2013

Anti-DDoS protection added to BIND DNS

A new version of BIND DNS has added a mechanism which will help combat against reflected Denial-of-Service (DoS) attacks, or specifically against a DNS amplification attack.  This module was introduced into version 9.9.4.

What is a DNS amplification attack?  It's an attack where, using the UDP transport, the attacker uses a large group of open resolvers to execute a DNS lookups with the source address spoofed to look like it's coming from the victim/target.  Usually the lookup is for all records ("ANY" in DNS speak) of a particular domain (or zone) so that large amounts of response traffic is sent to the victim/target which consume large amounts of bandwidth and/or CPU of the target.  This will keep the target busy and potentially make it unavailable.  More details about how the attack works can be found here:
Anatomy of a DNS DDoS Amplification Attack

So how can RRL help mitigate these attacks?  In essence, RRL examines the pattern of DNS requests and throttles the response to the requests when it detects an attack.  According to the documentation, it's highly configurable to combat against many types of attacks.  An important note is that incoming requests cannot be throttled by RRL.

While the attacks are not new, there has been an increase of them recently.  I recommend considering deploying this feature.

More information about BIND and RRL:
Using RRL to Prevent DNS Amplification Attacks
Quick introduction to Response Rate Limiting
How to enable Response Rate Limiting (RRL) on BIND 9.9.4
Download BIND from here