DNS Amplification Attacks... and a trivial proposal

Vernon Schryver vjs at rhyolite.com
Fri Jun 14 03:21:07 UTC 2013 

> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>

} That is an interesting contention.  Is there any evidence of, or even any
} reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
} using strictly 512 byte packets?
}
} If that's actually a real problem, then I am forced to assume that there
} must have been numerous reliable reports of successful and devastating
} DNS reflection DDoS attacks which pre-dated the widespread adoption of
} EDNS0.  I am not sure where or how I would be able to unearth archived
} but contemporaneous news accounts of such incidents, so if you could
} send me some links to archived copies of a few such pre-EDNS0 DDoS
} reports, I sure would appreciate it.

Expecting to get detailed (e.g. packet dumps, packet sizes, IP
addresses, ASNs) reports of DDoS attacks is like expecting samples
of spam from anti-spam operators.  Even the general outlines of
reports tend to be private.

 ....

>  At which server? The numerous DDoS-participating individual intermediaries?
> Or the (singular) DDoS victim?

It wouldn't hurt to learn about the DNS protocol in general and DNS
reflection attacks in particular before parachuting in with the Final
Ultimate DNS Reflection DoS Attack Solution.  Besides the facts that
DNSSEC makes the problem worse and that EDNS0 was not the genesis of
DNS reflection attacks, "intermediary" is a poor fit for a recursive
DNS resolver (but might fit a stubb resolver).  A recursive server
answers from its cache.  After it has recursed and until TTLs expire,
a recursive server acts like an authority.  That is why the query
handling code in a DNS server implementation tends to treat its cache
like a zone file.

"Intermediary" simply does not fit the problem of open resolvers in
DNS reflection attacks, because a DNS referral can give plenty of
amplification.  For example, I get more than 500 bytes of UDP payload
from `dig +norecurs example.com` and almost 900 bytes from
`dig +dnssec +norecurs example.com`.  (If a recursive answering with
a referral is an "intermediary", then so is every non-leaf authority.)

"Singular DDoS victim" is off the mark compared to "DDoS victim."  For
obvious reasons, multi-Gbit/sec attacks often affect entire networks.
(Multi-Gbit/sec attacks are more common than one might understand from
some press releases.)  In addition, there can be multiple IP addresses
in an attack, and none of the target IP address need be in use by any
hosts.  Any host that is at a targeted address is not expecting the
DoS packets and is be sending send as many ICMP Port-Unreachable error
messages as its ICMP rate limits and firewalls allow (often none)--not
to mention what the incoming flood might have done to BGP sessions
and so forth and so on.

Consider the implications of those facts, as well as the general meaning
of "denial of service attack" on any Final Ultimate Solution that
requires DDoS victims to send packets to DNS servers.


Vernon Schryver    vjs at rhyolite.com

More information about the bind-users mailing list