DNS Amplification Attacks... and a trivial proposal

Mark Andrews marka at isc.org
Fri Jun 14 05:06:25 UTC 2013 

In message <15120.1371179125 at server1.tristatelogic.com>, "Ronald F. Guilmette" writes:
> 
> In message <20130614023140.7735D35E2671 at drugs.dv.isc.org>, 
> Mark Andrews <marka at isc.org> wrote:
> 
> >* Router manufactures have code to support BCP 38 though it defaults to off.
> 
> Well then, THAT is going to be a great help in solving the problem, isn't it?

Actually it is because it provides ISPs with a tools they can use
in appropriate places.

> >* Large numbers of ISPs claim they implement BCP 38.
> 
> I claimed that I was Charlie Chaplin once.  Unfortunately, Robert Downey Jr.
> beat me to it.
> 
> (My claim also did not help any of the organizations who were DDoS'd last
> week in any material way.)

But it does if the claims are valid reduce the number of machines that
can be used to launch attacks from and it also applies peer presure on
other ISPs.  It also invalidates claims from ISP's that say they can't
implement BCP 38 when push comes to shove.

> >* NAT boxes tend to reduce the number of viable sources.  As more
> >  networks rather than hosts connect the IPv4 problem space will
> >  reduce.
> 
> At the risk of stating the obvious, putting a bunch of machines behind
> a NAT box does not make the routed IPv4 addresses that those boxes were
> formerly connected to disappear.

But it does stop machines behind the NAT boxes from being able
reflect packets off machines elsewhere on the net.  Everything
coming from the NAT has the NAT's address as its source.  This turns
the attack from a amplified, reflected, DDoS attack into a staight
out DDoS attack (no amplification, no reflection).  Attempts to
lauch attacks from behind the NAT impact the user of the NAT and
the would be reflector not third parties.

>  Do you believe that everybody who
> puts a box behind a NAT then immediately takes pains to insure that
> _nothing_ will ever represent itself to the public Internet as occupying
> that box's previous routed address ever again?  Or is it just as likely,
> if not moreso, that some new box will be put in the old box's place...
> a new box which is even less likely than the old one to be a mere end-
> luser client machine, incapable of reflecting anything, and vastly more
> likly to be a brand new *server* of some sort... probably of a kind that
> will suddenly make that IP address useful as a packet reflector, where
> the prior box would not have been useful at all in that respect?

I'd rather have another reflector than a spoofed traffic source.
There will always be reflectors.  There doesn't have to be any
sources of spoofed traffic.

CPE vendors have been informed of the broken defaults in their boxes
and new equipment will ship which is not broken.  ISP's can filter
inbound traffic directed at port 53 by default but allow a end user
to remove the filter.  They do this sort of thing for SMTP.

Sensible defaults are making their way though the IETF so that CPE
vendors have some guidance on how to configure their boxes for IPv6
so that are not reflector or other sources of badness.  As more
ISP's deploy IPv6 the number of bad IPv4 only CPE boxes will decrease.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list