DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette rfg at tristatelogic.com
Fri Jun 14 01:18:37 UTC 2013

In message <201306131753.r5DHrwoN093243 at calcite.rhyolite.com>, 
Vernon Schryver <vjs at rhyolite.com> wrote:

>I think that the use of RRL on some roots shows that keeping state
>is not a problem if the state keeping is not utterly stupid.

(I'm not sure what, if anything, I should be reading into that last bit
of a phraseology.  Oh well.  No matter.)

>DNS cookies could do something similar but better than that "safe
>TCP only mode" idea.

I will definitely need to bone up on that.

>Unfamiliar (no cookie) DNS clients that show
>some (or no) sign of badness could be sent to TCP, could be given
>lower rate limits, ignored entirely (dropped), or whatever makes
>sense at the server.

At which server?  The numerous DDoS-participating individual intermediaries?
Or the (singular) DDoS victim?

Assuming you are referring to the former, allow me just to offer the
observation that if history teaches us anything it is that anything that
needs to be... or that is even allowed to be... individually configured
by innumerable individual server administrators will inevitably never
work, in practice, to solve any actual real-world problem, because as
surely as night follows day, at least 33% of all of the world's sever
administrators, if given a knob or a dial to twist, will fuck it up
in some way that makes it ineffective for its original or intended

If the world's population of server administrators can be counted on
to Do The Right Thing (when given some simple and straightforward
configuration choice), then why are there still in excess of 27 million
open resolvers on the Internet?

(In short there is only one question you need to ask yourself... "Do I
feel lucky?" :-)

The advantage of the scheme I put forward is that there is -zero- con-
figuration either required or allowed.  Over time, people installing the
latest version of BIND or their favorite DNS server... just as a matter
of standard procedure, and just to stay current on security fixes...
would get built-in support for the new anti-DDoS "quench" protocol
and would _not_ be offered any ludicrous (and to most, confusing) con-
figuration choices like:  "Do you want to enable to the new anti-DDoS
protocol?  Or would you prefer to continue to be an anti-social asshole?"
(I think most here would be surprised to learn how many server admini-
strators, worldwide, would choose option B, if offered that exact choice,
even if phrased in that exact way.  Or as P.T. Barnum is alleged to have
once said "Nobody ever lost a dime underestimating the intelligence of
the public at large.")

>Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
>at reflectors) are hard even to detect except at the victim.


>The problem with those RPZ ideas is recruiting DNS server participants.
>That is similar to the problem of recruitng SMTP servers to use anti-spam
>DNSBLs, but worse because these ideas help victims instead of participants.


See above regarding configuration choices.


More information about the bind-users mailing list