DNS Amplification Attacks... and a trivial proposal
dougb at dougbarton.us
Sat Jun 15 00:41:30 UTC 2013
On 06/14/2013 05:13 PM, Vernon Schryver wrote:
>> From: Doug Barton <dougb at dougbarton.us>
>> is that (like RRL) your proposal relies on people updating their
> RRL needs only authority and open recursive servers to be updated.
> The vast majority of DNS installations are closed recursive and stubb
> servers that do not need RRL. (A case could be made for RRL on a
> minority of private recursive servers.)
You're right of course, but unfortunately at least where open resolvers
are concerned the same people who operate open resolvers are also those
least likely to know what RRL is, or why it's needed; and are also least
likely to actually upgrade old software. So a statistically significant
percentage of the "long tail" problem is going to apply to those who
would provide the most benefit from making the change.
I could therefore make a pretty strong case that RRL should be on by
default, but I realize that's incredibly unlikely to fly. :)
> Other ideas that I like such as DNS cookies would need more widespread
> changes, which makes enthusiasm for them taxing.
Yeah, that's unfortunate since if it's a good idea it's worth
implementing no matter how long it takes to be beneficial. The time will
pass either way.
>> RRL is actually useful for DDOS
>> attacks against the authoritative server itself. There are likely other
>> reasons, but those are the most obvious (to me anyway).
> That's in the RRL sales story that I've been flogging since before the
> first version of the RRL patch, but so far it has been only incidentally
> true. Some DNS server operators have reported drastic reductions in
> network and CPU load during attacks thanks to RRL, but they were not
> the intended victims of the attacks.
Personally I've never understood why RRL wasn't already baked in. The
only way a legitimate client could send the same query over and over in
a short period of time (intentionally being vague on both terms) is that
it is broken. We did the smart thing to solve that problem on the
iterative side 10 years ago, I don't know why it's taken so long to
solve the auth side. :)
More information about the bind-users