DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette rfg at tristatelogic.com
Fri Jun 14 11:28:50 UTC 2013

In message <20130614050625.850CF35E5911 at drugs.dv.isc.org>, 
Mark Andrews <marka at isc.org> wrote:

>In message <15120.1371179125 at server1.tristatelogic.com>, "Ronald F. Guilmette"
> writes:
>> >* Large numbers of ISPs claim they implement BCP 38.
>> I claimed that I was Charlie Chaplin once.  Unfortunately, Robert Downey Jr.
>> beat me to it.
>> (My claim also did not help any of the organizations who were DDoS'd last
>> week in any material way.)
>But it does {help} if the claims are valid {and} reduce the number of machines that
>can be used to launch attacks from


>... and it also applies peer presure on other ISPs.

Oh!... Yea!...  THAT will certainly work and have a big impact.   (Please
just ignore that suppressed snickering coming from the back of the room.
Those people are from Missouri.)

>It also invalidates claims from ISP's that say they can't
>implement BCP 38 when push comes to shove.

Could you help me out a little here?  I just want to mark it on my
calendar... When exactly is push currently anticipated to intersect
with shove?  (I personally have been waiting for this cosmological
once-in-a-lifetime event for the past 10+ years already.  I don't
mean to seem impatient, but this is starting to border on ridiculous
now.  Where is that much-rumored packet-based Pearl Harbor when we
need it?    How many more legitimate packets have to die before
_everyone_ summons up the courage to end this mess once and for all?
What are the recalcitrant hold-outs waiting for?  The second coming??)

>> At the risk of stating the obvious, putting a bunch of machines behind
>> a NAT box does not make the routed IPv4 addresses that those boxes were
>> formerly connected to disappear.
>But it does stop machines behind the NAT boxes from being able
>reflect packets off machines elsewhere on the net.  Everything
>coming from the NAT has the NAT's address as its source.

That would be nice.  I personally don't know if it is always and
everywhere true or not.  It would indeed be some comfort if it
were indeed everywhere and always true, but even my trusty old WRT54G
has some some rather interesting "tunneling" options that I vaguely
suspect might allow for some rather questionable stuff to occur.
(I know for a fact that one hijacked machine that was most certainly
behind a NAT box was nontheless serving up helpful DNS responses for
some rather unsavory East Block phake pharmacy spammers... at least
once upon a time.  I worry what other NAT box funny business may make
it possible to dole out, to the net at large, odd packets, including
perhaps even spoofed ones under certain conditions.  And yes, in such
a case the box can no longer be called a purely "NAT" box in the strictest
sense of the word.  Let's not waste time quibbling about that.  The issue
isn't the terminology.  The issue is "What are the capabilities?")

>This turns
>the attack from a amplified, reflected, DDoS attack into a staight
>out DDoS attack (no amplification, no reflection).  Attempts to
>lauch attacks from behind the NAT impact the user of the NAT and
>the would be reflector not third parties.

One hopes anyway.  But none of this negates the more important and
overriding point I made, to wit:

>>  Do you believe that everybody who
>> puts a box behind a NAT then immediately takes pains to insure that
>> _nothing_ will ever represent itself to the public Internet as occupying
>> that box's previous routed address ever again?  Or is it just as likely,
>> if not moreso, that some new box will be put in the old box's place...
>> a new box which is even less likely than the old one to be a mere end-
>> luser client machine, incapable of reflecting anything, and vastly more
>> likly to be a brand new *server* of some sort... probably of a kind that
>> will suddenly make that IP address useful as a packet reflector, where
>> the prior box would not have been useful at all in that respect?
>I'd rather have another reflector than a spoofed traffic source.

Well, that makes one of us.

>There will always be reflectors.  There doesn't have to be any
>sources of spoofed traffic.

There doesn't have to be, but there always will be, nontheless.  It's
like trying to close the last open SMTP relay... which actually might
be possible someday... like eradicating smallpox... versus locking down
every single last bloody IPv4 address on every single bloody last
machine in every single bloody last Kinko's or Internet cafe in the
entire Universe and making sure that each and every one of them cannot
make an unfettered outbound port 25 (smtp client) TCP connect to any
bloody address they want.  THAT will just never happen.

Amplification is like leverage.

The Greek mathematician and inventor, Archimedes, upon realizing the
limitless implications of his new invention, the lever, is believed
to have said "Give me a place to stand and I can move the world!"

As regards to amplification attack origination points, there will
_always_ be a place to stand (to originate the attack from).  We need
to take away the lever.  The lever is the amplifying reflectors.  Right
now they are all "dumb".  I merely suggested making them just intelligent
enough so that they can comprehend the command "Stop hurting me!"

But I guess that is a radical notion.

>CPE vendors have been informed of the broken defaults in their boxes
>and new equipment will ship which is not broken.

Great!  That certainly won't hurt.

I am compelled to wonder aloud however how it can possibly be the case
that anybody would ever hold the position that we are likely to see a
solution to this problem sooner, more conveniently, and at lower cost
by pushing out updated _hardware_ to millions of sites worldwide, you
know, as opposed to pushing out updated _software_ to millions of sites

Call me old fashioned, but I cling to the antiquated belief that it
might actually easier, faster, and less expensive to change out soft-
ware than it is to change out hardware.

I guess that somebody needs to call out the men with the white coats
that strap up in the back and tell them to come and get me.


More information about the bind-users mailing list