Maintained by: NLnet Labs

[Unbound-users] unbound closes receive socket => udp probes

Ilya Bakulin
Mon Jul 29 15:44:04 CEST 2013


Hi Wouter,

On Monday 08 July 2013 16:25:19 W.C.A. Wijngaards wrote:
> So, although I understand this ICMP port closed is troublesome, I do
> not know how to get rid of it.  Is there something I can tell the
> kernel that stops the ICMP port closed (for UDP)?  Should unbound
> listen to raw sockets and somehow remove the packet destined for an
> old port (but what if someone runs 'dig' and it uses a random port
> that unbound just previously used?).

yes you're right, the "right" fix is really complicated; therefore it is 
actually wrong.

We have another suggestion, that may help -- adding some constant value to
the calculated RTT. This will slow the rps rate, but at least eliminate
ICMP flood in cases when there are some fluctuations in the network that cause
answers to arrive a bit slower.
I have tried to find a right place in the code to add this, but
seems I haven't succeed. Could you please help me?
I understand that this is also a kind of "hack" and it might not
be committed, but we really don't have another choice -- there is
no way to tell if there was a UDP probe attack or late answer from DNS...

Thank you for your time.

--
Ilya
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130729/2e81444e/attachment.sig>