[rbldnsd] Announce: experimental rbldnsd-0.994.92: EDNS0 and ACL support

Michael Tokarev mjt at tls.msk.ru
Sun Apr 17 15:15:38 MSD 2005 

Amos Jeffries wrote:
[]
>> Content of `acldata' file is pretty like the one of ip4trie, ie,
>> CIDRs and "values", where "value" can be one of:
>>
>>  :ignore -- to mean ignore all queries made from the given CIDR
>>  :refuse -- to mean refuse all queries from the given range
>>  :empty  -- for queries from the range, pretend no entries are
>>    listed in a dnsbl at all
>>  usual_A+TXT_template -- always return this template to valid
>>    dnsbl queries made from the given range.
> 
> Two questions:
> 
> 1) If we supply an ACL file that is essentially a zone file with a 
> default ACL response at the top will it be accepted as a valid ACL?
> (without a response type on each line).
> 
> ie:
> #deny ACL
> :refuse
> 127.0.0.0/8
> 10.0.0.0/8
> 252.0.0.0/8
> # end ACL

Yes, definitely.  It is like in ip4set and ip4trie: you can specify
a "default action" several times, and it applies to all subsequent
lines without an action (before new default action).

> 2) One of the best uses of ACL is to deny DDoS from zombies.
> In that case might it be simpler be to have an entry like
> "  $ACL <zone> <action>  " as a single dataset ACL?
> meaning, that any client listed in the dataset <zone> has <action> done 
> to its queries.

First of all, it is almost hopeless to try to defend zombie attacks
in a UDP-based server.  The reason is trivial: forged source address
in the attacking packets.

Another reason is that we can't "lighten" the attack anyway, simple
because amount of processing needed to handle packets coming from
zombies is about the same regardles if such packets will be ignored
or replied normally.  Especially on a per-zone basis: we have to
parse incoming packet anyway, to find the matching zone (in such
case, global acl with 'ignore' result will do better - no parsing
is required, just a quick lookup of an IP address).

That to say: I don't see a *good* reason to do anything against
a DDoS coming to the way of rbldnsd.  Yes the problem can be real,
but there's not much we can do now to make the situation better.
For example, j.ns.dsbl.org aka ns6-cbl.abuseat.org will start
dropping incoming packets due to too many interrupts from NIC -
nothing can be done agains this in software.
There's yet another issue, now with the current implementation.
Currently, acl is implemented as patricia trie, to allow compact
and fast representation of (may be large) networks, not alot of
individual IP addresses.  Sure it can be done like ip4set, as an
array, and `acl' "dataset" can be smarter to choose between
ip4trie and ip4set representation internally.  That to say: to
add alot of zombies into current acl dataset, one needs quite
some memory (each entry takes 2*4+2*4+4=20 bytes in x86, and
there will be several additional trie nodes too).

BTW, this "$ACL" idea is interesting from the usage point of view --
not as you described above (if I got it right), but just as --
to allow $ACL lines inside normal datasets.  But to be fair, I
don't want to go this route.. because current implementation is
much more cleaner ;)

/mjt

More information about the rbldnsd mailing list