Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] iptables rules inefficient

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] iptables rules inefficient


Chronological Thread 
  • From: Guillaume Parent <gparent AT gparent.org>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] iptables rules inefficient
  • Date: Sat, 1 Jun 2013 14:48:21 -0400

Other than the fact that it's bowing down to DDoS and that it breaks everyone's assumption of how a DNS server should react?

On Jun 1, 2013 2:43 PM, "Psilo" <dns AT psilo.org> wrote:
You all know that the target of DNS attacks is not the DNS service itself, nor the servers hosting it, right?

Now can you please explain again how TCP is not a good solution?

Psilo

Le samedi 1 juin 2013, Kenny Taylor a écrit :
Meet SYN cookie.. nom nom nom

"Éric Boucher" <bouchereric0000 AT hotmail.com> wrote:
Great try but i think you forgot about SYNFLOOD...

- Éric

> Date: Fri, 31 May 2013 21:45:58 -0400
> From: weblionx AT gmail.com
> To: discuss AT lists.opennicproject.org
> Subject: Re: [opennic-discuss] iptables rules inefficient
>
> Has anyone ever tried using TCP only for a DNS server? I don't know
> how well clients would handle that, and I know it has some extra
> latency, but if it eliminates the ability to use it for a DDoS it
> seems like it might be something worth trying.
>
> I'm assuming that regular TCP-DNS uses one connection per query. Would
> it be possible to set it up so it kept the connection up for many
> queries, or would that require using a tunnel or rewriting software?
>
> - C
>
> On Fri, May 24, 2013 at 6:40 AM, Psilo <dns AT psilo.org> wrote:
> > Thank you Jeff for binging the conversation back to the topic.
> >
> > Eric: I am simply using the rules mentioned in the wiki pointed by Jeff.
> >
> > The IRC conversation with the guy that understands nothing to DNS
> > amplification attacks is just useless.
> >
> > Psilo
> >
> >
> > Le vendredi 24 mai 2013, Jeff Taylor a écrit :
> >
> >> We have a collection of rules posted here:
> >> http://wiki.opennicproject.org/Tier2Security
> >>
> >>
> >> On 05/23/2013 09:43 AM, Éric Boucher wrote:
> >>
> >> This is great changes... May i ask for your rules so i can add it to mine
> >> ?
> >>
> >> Thanks,
> >> Éric
> >>
> >>
> >
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.



Archive powered by MHonArc 2.6.19.

Top of Page