DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message <201306140321.r5E3L7PY017641 at calcite.rhyolite.com>, 
Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
>
>} That is an interesting contention.  Is there any evidence of, or even any
>} reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC
>E
>} using strictly 512 byte packets?
>}
>} If that's actually a real problem, then I am forced to assume that there
>} must have been numerous reliable reports of successful and devastating
>} DNS reflection DDoS attacks which pre-dated the widespread adoption of
>} EDNS0.  I am not sure where or how I would be able to unearth archived
>} but contemporaneous news accounts of such incidents, so if you could
>} send me some links to archived copies of a few such pre-EDNS0 DDoS
>} reports, I sure would appreciate it.
>
>Expecting to get detailed (e.g. packet dumps, packet sizes, IP
>addresses, ASNs) reports of DDoS attacks is like expecting samples
>of spam from anti-spam operators.  Even the general outlines of
>reports tend to be private.

OK. I just want to be clear here, and make sure that I have properly
understood what you have said.   Would it be correct, then, to say that
at the present moment you are not actually able to produce, cite, or
describe, with any particularity or specificity, even one individual
specific incident in which 512 byte packets were used to perpetrate
any individual, effective, and successful DDoS attack which actually
resulted in some actual "service" being "denied", and that you are
likewise unable to relate any specifics about any such purported attack
which was in any other way worthy of note?

Assuming so, I regret that I feel compelled to reiterate my earlier
contention, based upon the publically available evidence (or rather
I should say, the lack thereof) that the promulgation and deployment
of the ``feature'' known as EDNS0 is largely if not entirely responsible
for the majority, if not the entirety of all of the many DNS reflection
DDoS problem that have been making headlines, both in recent days, and
for lo these past many years.  Based upon the available evidence, it
does seem to me that any attempts to deny this direct connection be-
tween EDNS0 and all or essentially all modern destructive DNS reflection
DDoS attacks has about as much credibility as attempts to deny that the
primary responsibility for most of the tensions on the Korean Peninsula
in recent years has been largely if not entirely attributable to the North.

Not that any of this even makes any material difference to anything, of
course.  I do believe that we can all agree, at the very least, that
people, companies, and institutions _are_ being attacked, rather routinely,
and that one way or another DNS is being used within the context of these
attacks.  That fact is, I believe, the overriding point.  EDNS0 is not
hardly going to be put into mothballs anytime soon, so the only important
question now is "How can the attacks be prevented or mitigated?"  (Still,
while attempting to find an answer to that question, it is important to
keep in mind that teensy-weensy ``attack'' packets are not actually THE
problem.)

> ....  >
>>  At which server? The numerous DDoS-participating individual intermediaries?
>> Or the (singular) DDoS victim?
>
>It wouldn't hurt to learn about the DNS protocol in general and DNS
>reflection attacks in particular before parachuting in with the Final
>Ultimate DNS Reflection DoS Attack Solution.

Vernon, I cannot thank you enough for your explicit and unambiguous
condescension.   The way I figure it, any idea that warrants quite
such a level of unprovoked animosity, coupled with an implicit resort
to what I believe is traditionally referred to as an argument based
upon a "appeal to authority" (in lieu of anything persuasive) can't be
all bad.  I confess that earlier, I was unsure about the merits of the
modest idea I had put forward here, but now I am both invigorated and
enthused about pursuing it further.  It must have genuine merit if it
can garner such hostility without even hardly trying.

As regards to "parachuting in", I do agree completely that this is
most definitely a mode of of transporation worthy of avoiding, and
I myself avoid it at all costs and at all times.  You see, I have an
overwehlming fear of heights, which is probably just as well, since
it prevents me from acquiring an over-lofty opinon of the infallibility
of my own opinions.   (I am personally acquainted with a few people who
do suffer from that condition, and I can tell you based on personal
experience that they really are frightful bores.)

With regards to making grandiose claims of having developed a Final
Ultimate solution to any sort of problem(s) relating to the Internet,
as enticing as that sounds, to the best of my knowledge (and unless
I have been sleep-posting recently without having been conscious of
it) I personally have never engaged in that sort of personal puffery.
I suspect that you may perhaps have gotten me mixed up with someone
else, perhaps even that fellow who seemed to be making such claims
relating to some sort of checksum-based anti-spam scheme.  (I'm sorry,
but I really do not remember his name at the moment.  I'm sure that
it will come to me, but if it doesn't it short order I'm sure that
I can always google for it.)

While the foregoing points are all interesting diversions, I think
that it might actually be useful to return, civilly and with respect,
to the issue at hand, and perhaps even to the question you saw fit not
to answer.

Returning to the technical discussion that preceded the entertaining
but otherwise vapid and vacuous diversions, please allow me to once
again attempt to draw your attention towards the very specific comments
you made about how you thought the DDoS problem really should be, and
needed to be solved.  Here are those specific comments again:

>Unfamiliar (no cookie) DNS clients that show
>some (or no) sign of badness could be sent to TCP, could be given
>lower rate limits, ignored entirely (dropped), or whatever makes
>sense at the server.

I merely asked you to clarify, for the record, that when you said
"...whatever makes sense AT THE SERVER" you were intending to refer,
very specifically, to the entire SET of servers which were, or which
would be acting as "reflectors" during a DNS reflection attack.  (I
assume, based upon the context of your comments, that this is indeed
what you meant to say, however if not then I politely offered you an
opportunity to clarify that, and do so again now.)

I believe that what have here is a failure to communicate.  My question
was not actually prompted by the kind of abundant ignorance of the topic
at hand which you seem a bit too eager to impute to any person or state-
ment which does not entirely or immediately conform to your personal
view of either the problem or its solution.  Rather, my question was
prompted, neither by misunderstanding nor ignorance, but rather by
common courtesy.  This may perhaps have inadvertantly contributed to
your inability to properly understand it.  No matter.  I will try
putting the question a different way and see if that helps.

The view that you were apparently putting forward, via your comments quoted
immediately above, seems to be that the `right'' solution to the DNS re-
flection DDoS problem is that the entire set of servers that are partici-
pating as reflectors in a DNS reflection attack should all, individually
and collectively, take specific steps to limit the damage being wrought 
as a result of the attack, and that they should do so based upon "whatever
makes sense" from the viewpoint of each of those servers.  (If I am mis-
quoting or taking out of context I feel sure that you will be johnny-on-
the-spot to offer to correct me.)

So anyway, far be it from me to suggest or even to imply that _any_ server
should at any time do anything other than (as you yourself put it) "whatever
makes sense".  Doing "what makes sense" is, by definition, always the sensible
thing to do.  On that I believe we agree.  Where we may perhaps diverge is
on a different and in some ways more fundamental point.

I call your attention to another comment that you yourself made:

>Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
>at reflectors) are hard even to detect except at the victim.

Based upon that clear and unambiguous comment, I put to you the clear,
simple, and obvious question:  If only the victim can even detect
that an attack is ongoing, then how exactly are the numerous machines
that are only being used as reflectors to be expected to do _anything_
useful in the way of mitigating the attack, EVEN IF they are all,
individually, collectively, and within each of their respective local
contexts doing "whatever makes sense"?  How exactly will they contribute
to mitigating a problem that they do know even exists?

I am sincerely eager to be tutored by your eloquence, unambiguous
intellectual prowess, and unfathomably deep understanding as you
explain to me how the various reflector machines... including those
that are doing "whatever makes sense"...  are going to be induced
to take steps to mitigate an attack that they themselves do not even
know is occuring.  (This certainly promises to be, um, interesting.)

>... EDNS0 was not the genesis of DNS reflection attacks,

I agree that EDNS0 was not the genesis of DNS reflection attacks GENERALLY...
just the modern really bad ones.

>"intermediary" is a poor fit for a recursive
>DNS resolver (but might fit a stubb resolver).

After a long and productive day of playing Minesweeper, I do so enjoy
settling down to play a nice long relaxing game of "My terminology is
more better than your terminology."  If only I had a dollar for every
hour I have whiled away in this endlessly enjoyable leisure pursuit...

>"Intermediary" simply does not fit the problem of open resolvers in
>DNS reflection attacks...

Your right, of course, Vernon.  (Sorry. For a moment there I forgot
that we can all just assume that, as a default, in all cases.)  On
second thought I don't much like the term "intermediary" either.
So in future, let's just agree, by mutual consent, to call them
"rouge manifolds" instead.  Yes!  That's the ticket.  I'm confident
that using that term instead will make the meaning more immediately
obvious and apparent to all participants.

>"Singular DDoS victim" is off the mark compared to "DDoS victim."

Given that several new members are inducted... unwillingly... into this
ever-less-exclusive club every bleedin' day now, I cannot, and will not
hardly argue the matter.  Far from it.  You have a point sir.  Singular
they most certainly are not!  Abundant be they.

(Good!  Like the Right Honorable James Hacker, I also always like to end
on a note of agreement.)


Regards,
rfg