DNS Amplification Attacks... and a trivial proposal

Vernon Schryver vjs at rhyolite.com
Thu Jun 13 17:53:58 UTC 2013


> From: David Miller <dmiller at tiggee.com>

> >> Basically, the whole idea is just simply to allow a victim to switch to
> >> "safe TCP only mode" with all of the intermediaries that are
> >> participating
> >
> > The problem with that idea is that it needs software updates on both
> > the reflecting DNS server and the victim. It also seems to require
> > keeping a lot of soft state in the endpoints.
>
> This would require both software updates and an update to the DNS protocol.
>
> This idea does require state at the endpoints.  We seem to have already
> lost that battle - example RRL.  Would this require more state at the
> endpoints than RRL?  I think that this probably would require more state.

I think that the use of RRL on some roots shows that keeping state
is not a problem if the state keeping is not utterly stupid.

DNS cookies could do something similar but better than that "safe
TCP only mode" idea.  Unfamiliar (no cookie) DNS clients that show
some (or no) sign of badness could be sent to TCP, could be given
lower rate limits, ignored entirely (dropped), or whatever makes
sense at the server.  The state could be kept only on DNS clients
and could be fewer and smaller than the state needed for RRL.  See
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03

DNS cookies suffer less from the update-the-world problem, because
they are optional.


> > Altogether, it seems easier for everyone to just apply RRL patches, do
> > BCP38 and de-peer with people who don't do BCP38.
>
> Agreed.  Close all open resolvers as well.

me too.

Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
at reflectors) are hard even to detect except at the victim.

I hope eventually to release BIND patches that add RPZ client IP
address triggers and "drop" and "TCP-only" policies.  See
https://www.google.com/search?q=dns+rpz
An RPZ zone of client IP address triggers of victim IP addresses and
TCP-only policies, maintained by victim requests and certain other
mechanisms could let participating DNS servers mitigate even extremely
distributed reflection attacks.

If there were an RPZ zone of client IP address triggers of open resolvers
used in attacks and if that zone were used at many authoritative DNS
servers, then users of those open resolvers would be inconvenienced
and might pressure open resolver operators to act.

The problem with those RPZ ideas is recruiting DNS server participants.
That is similar to the problem of recruitng SMTP servers to use anti-spam
DNSBLs, but worse because these ideas help victims instead of participants.
It might be helped by including anti-reflection rules in other RPZ
products.

The RPZ "TCP-only" policy might be used in private kludges.  Consider
these rules in the external view on an open resolver:
 *. CNAME tpc-only-rpz.
 *.mydomain CNAME passthru.rpz.
Like RRL, such ideas not as good as closing the resolver, but less
bad than leaving it unprotected.


Vernon Schryver    vjs at rhyolite.com


More information about the bind-users mailing list