Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427832

Summary: net-dns/bind BIND 9.8.3 DNS reflection and amplification attacks
Product: Gentoo Linux Reporter: Don Bishop <dbishop>
Component: New packagesAssignee: Christian Ruppert (idl0r) <idl0r>
Status: RESOLVED DUPLICATE    
Severity: major CC: dbishop, eras
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.redbarn.org/dns/ratelimits
Whiteboard:
Package list:
Runtime testing required: ---

Description Don Bishop 2012-07-24 02:27:28 UTC 
BIND 9.8.3 and 9.9.1 can include a patch for Respose Rate Limiting


From Paul Vixie:

"Such attacks depend upon IP source address forgery by attackers, where the forgery is undetectible at a distance. DNS servers who respond to all queries without rate limiting are at risk for abuse such that a stream of potentially very large responses are transmitted toward victims whose IP address was forged and who did not in fact solicit said responses.  Response Rate Limiting (RRL) can make a DNS server less useful for such attacks."

There is a patch at http://ss.vix.com/~vixie/rrl-983.patch

It would be great to have this added to the gentoo packages. I am getting creamed by this attack.  And so are a lot of others.  Adding a never endling list of blocked ip's in iptables doesn't seem like a good long term solution.  this patch sure does though...

If it can't be added maybe a tip to help me know how to do it myself without breaking portage would be welcomed by me and I'm sure others :-)
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-24 23:11:24 UTC 
This is more about hardening a BIND server / mitigating attacks rather than correcting a known vulnerability in BIND. More information on this is at $URL.
Comment 2 Don Bishop 2012-07-25 12:52:47 UTC 
The URL is missing in your post.  I know what the problem is, and where to find Vixie's patch.  Is the URL you are sending me to the way to add the patch to my existing ebuild (in my local overlay perhaps)?
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2012-09-11 18:20:52 UTC 

*** This bug has been marked as a duplicate of bug 434650 ***