DNS Amplification Attacks... and a trivial proposal
dougb at dougbarton.us
Fri Jun 14 05:16:04 UTC 2013
It's obvious you're frustrated (understandable), and enthusiastic
(commendable), but you might want to consider dialing down your
"rhetoric" a bit. You've had responses from people here who have been
working on this problem for years, and have a deep understanding of it.*
Trying to understand what they're telling you, and its implications,
would really help your situation.
* Note, I'm not including myself in that category. I know a bit more
than the average person, but I'm not an expert.
On 06/13/2013 06:57 PM, Ronald F. Guilmette wrote:
> In message <51BA355B.10707 at dougbarton.us>,
> Doug Barton <dougb at dougbarton.us> wrote:
>> No. You can still get pretty good amplification with 512 byte responses.
> That is an interesting contention. Is there any evidence of, or even any
> reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
> using strictly 512 byte packets?
You're asking the wrong question. Attackers don't go out of their way to
find open resolvers that they are sure will return 4k packets. They
blast out to all the ones that they know, and take the amplification
that they can get. 50 -> 500 is still a pretty good amplification rate.
The important point being (as others have made to you) that this is not
an EDNS0 issue. It's also worth noting that I realize this wasn't the
main point you were trying to make, but it will probably be helpful for
you to get your facts straight.
> If that's actually a real problem, then I am forced to assume that there
> must have been numerous reliable reports of successful and devastating
> DNS reflection DDoS attacks which pre-dated the widespread adoption of
Again, you're making the wrong argument. As others have pointed out to
you, DNS amplification is just the attack du jour. There is evidence at
the moment that the kiddies are already moving to chargen since we seem
to be making some progress on open resolvers, and they want to keep
their options open.
>> There is no quick fix.
> I will settle for a slow one.
Then you really want to learn more about response rate limiting, which
already exists, and is in the process of being adopted into the major
flavors of authoritative DNS software. That will help a lot with DNS
amplification, but the real answer is still going to be BCP 38, with all
of its attendant thorns.
> I am not persuaded that we have even really begun in ernest a process that
> is likely to lead to that result. Almost everybody, even 13 years later,
> is still hoping for, and praying for, some utterly cost-free and pain-free
> solution to drop down out of the sky like mana from heaven.
Again, you need to become more familiar with the efforts that have been
ongoing for years.
Mark also made an excellent point about legislation for BCP 38 being an
unfortunate necessity at this point. For a variety of reasons there are
costs associated with implementing BCP 38, costs which a non-zero number
of operators have chosen not to pay. Adding legislative
penalties/incentives that will make implementing it less costly than not
is pretty much the only untried tool we have left.
More information about the bind-users