DNS Amplification Attacks... and a trivial proposal

Doug Barton dougb at dougbarton.us
Fri Jun 14 05:16:04 UTC 2013 

Ronald,

It's obvious you're frustrated (understandable), and enthusiastic 
(commendable), but you  might want to consider dialing down your 
"rhetoric" a bit. You've had responses from people here who have been 
working on this problem for years, and have a deep understanding of it.* 
Trying to understand what they're telling you, and its implications, 
would really help your situation.

More below.

* Note, I'm not including myself in that category. I know a bit more 
than the average person, but I'm not an expert.


On 06/13/2013 06:57 PM, Ronald F. Guilmette wrote:
>
> In message <51BA355B.10707 at dougbarton.us>,
> Doug Barton <dougb at dougbarton.us> wrote:
>
>> No. You can still get pretty good amplification with 512 byte responses.
>
> That is an interesting contention.  Is there any evidence of, or even any
> reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
> using strictly 512 byte packets?

You're asking the wrong question. Attackers don't go out of their way to 
find open resolvers that they are sure will return 4k packets. They 
blast out to all the ones that they know, and take the amplification 
that they can get. 50 -> 500 is still a pretty good amplification rate.

The important point being (as others have made to you) that this is not 
an EDNS0 issue. It's also worth noting that I realize this wasn't the 
main point you were trying to make, but it will probably be helpful for 
you to get your facts straight.

> If that's actually a real problem, then I am forced to assume that there
> must have been numerous reliable reports of successful and devastating
> DNS reflection DDoS attacks which pre-dated the widespread adoption of
> EDNS0.

Again, you're making the wrong argument. As others have pointed out to 
you, DNS amplification is just the attack du jour. There is evidence at 
the moment that the kiddies are already moving to chargen since we seem 
to be making some progress on open resolvers, and they want to keep 
their options open.

>> There is no quick fix.
>
> I will settle for a slow one.

Then you really want to learn more about response rate limiting, which 
already exists, and is in the process of being adopted into the major 
flavors of authoritative DNS software. That will help a lot with DNS 
amplification, but the real answer is still going to be BCP 38, with all 
of its attendant thorns.

> I am not persuaded that we have even really begun in ernest a process that
> is likely to lead to that result.  Almost everybody, even 13 years later,
> is still hoping for, and praying for, some utterly cost-free and pain-free
> solution to drop down out of the sky like mana from heaven.

Again, you need to become more familiar with the efforts that have been 
ongoing for years.

Mark also made an excellent point about legislation for BCP 38 being an 
unfortunate necessity at this point. For a variety of reasons there are 
costs associated with implementing BCP 38, costs which a non-zero number 
of operators have chosen not to pay. Adding legislative 
penalties/incentives that will make implementing it less costly than not 
is pretty much the only untried tool we have left.

Doug

More information about the bind-users mailing list