[nsd-users] Amplification attack how to stop it

Anand Buddhdev anandb at ripe.net
Thu Dec 3 17:27:28 UTC 2015 

On 03/12/15 17:58, Bas van den Dikkenberg wrote:

Hi Bas,

> We have a big  problem  all 3 of our dns servers are under Amplification attack
> As soon as we start nsd we send out 50 mbit to the internet.
> Any ideas how can stop this .
> 
> We run NSD version 4.1.2 (most recent in ondrej nlnetlabs ppa)
> 
> My nsd.conf can be found here: http://pastebin.com/kAHcRiVf

It all depends on the type of query traffic you're receiving. For some
types of query patterns, Response Rate Limiting (RRL) can help, but you
have to enable it at compile time with "--enable-ratelimit". If your
config file is just an edited copy of the sample, then it doesn't look
like you have RRL code compiled in. If you have the possibility to
recompile NSD quickly, then you can try to build RRL in, and use it.

There are a number of RRL config options to set or tune, but the 2 main
ones are:

rrl-ratelimit:
rrl-slip:

If you set rrl-ratelimit to something like "10", then the first 10
responses within a 1-second window, to the same destination network,
will be allowed. After that, within that same 1-second window, any more
responses which are the same as the first 10, to the same destination
network, will be dropped.

However, not all responses are dropped. This is controlled by the value
of "rrl-slip". NSD's default is 2. This means that out of every 2
responses above the limit, one response will be dropped, and the other
response will be a small one, with the "truncated" bit set. This allows
a genuine client a 50% chance of seeing the response with the TC bit,
and it can retry over TCP.

NSD default value of 2 for "rrl-slip" has 2 effects:

1. It halves the number of response packets NSD outputs; and

2. It lowers the outgoing bandwidth.

If you set "rrl-slip" to 3, then out of every 3 responses above the
limit, 2 will be dropped, and 1 will "slip through" with the TC bit set.
Higher values of "rrl-slip" will keep reducing the outgoing response
rate. If you want to block ALL responses above the limit, then set
"rrl-slip" to 0, but this is probably not a good idea.

Finally, I'd like remind you again, that RRL is about limiting identical
RESPONSES. So if your server gets 10 different queries, but the response
to all of them is the same (eg. NXDOMAIN, or a referral), then these
responses are rate-limited.

If you get getting lots of different queries from lots of different
sources, which results in lots of different responses, then RRL won't
work as effectively.

Regards,

Anand Buddhdev
RIPE NCC

More information about the nsd-users mailing list