DNS Amplification Attacks... and a trivial proposal

Warren Kumari warren at kumari.net
Fri Jun 14 15:46:32 UTC 2013 

On Jun 14, 2013, at 6:28 AM, "Ronald F. Guilmette" <rfg at tristatelogic.com> wrote:

> 
> In message <201306140321.r5E3L7PY017641 at calcite.rhyolite.com>, 
> Vernon Schryver <vjs at rhyolite.com> wrote:
> 
>>> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
>> 
>> } That is an interesting contention.  Is there any evidence of, or even any
>> } reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC
>> E
>> } using strictly 512 byte packets?
>> }
>> } If that's actually a real problem, then I am forced to assume that there
>> } must have been numerous reliable reports of successful and devastating
>> } DNS reflection DDoS attacks which pre-dated the widespread adoption of
>> } EDNS0.  I am not sure where or how I would be able to unearth archived
>> } but contemporaneous news accounts of such incidents, so if you could
>> } send me some links to archived copies of a few such pre-EDNS0 DDoS
>> } reports, I sure would appreciate it.
>> 
>> Expecting to get detailed (e.g. packet dumps, packet sizes, IP
>> addresses, ASNs) reports of DDoS attacks is like expecting samples
>> of spam from anti-spam operators.  Even the general outlines of
>> reports tend to be private.
> 
> OK. I just want to be clear here, and make sure that I have properly
> understood what you have said.   Would it be correct, then, to say that
> at the present moment you are not actually able to produce, cite, or
> describe, with any particularity or specificity, even one individual
> specific incident in which 512 byte packets were used to perpetrate
> any individual, effective, and successful DDoS attack which actually
> resulted in some actual "service" being "denied", and that you are
> likewise unable to relate any specifics about any such purported attack
> which was in any other way worthy of note?
> 

Oh dear. Knowing many of the participants, I know I should stay out of this discussion, but…. 

In ~2001 I was working for Register.com as lead network engineer.

We received numerous DoS attacks, including a number of (for the time) large DNS reflection attacks, some of which saturated our bandwidth (around 2Gbps), LB capacity and in at least one case made our routers fall over,  taking down our web service and DNS service.  As well as denying service to our stuff there was collateral damage to hosted DNS customers.

Ok, I admit they were not *512 byte* packets -- in many cases they were ~490bytes or smaller.

Specific enough?

W





> Assuming so, I regret that I feel compelled to reiterate my earlier
> contention, based upon the publically available evidence (or rather
> I should say, the lack thereof) that the promulgation and deployment
> of the ``feature'' known as EDNS0 is largely if not entirely responsible
> for the majority, if not the entirety of all of the many DNS reflection
> DDoS problem that have been making headlines, both in recent days, and
> for lo these past many years.  Based upon the available evidence, it
> does seem to me that any attempts to deny this direct connection be-
> tween EDNS0 and all or essentially all modern destructive DNS reflection
> DDoS attacks has about as much credibility as attempts to deny that the
> primary responsibility for most of the tensions on the Korean Peninsula
> in recent years has been largely if not entirely attributable to the North.
> 
> Not that any of this even makes any material difference to anything, of
> course.  I do believe that we can all agree, at the very least, that
> people, companies, and institutions _are_ being attacked, rather routinely,
> and that one way or another DNS is being used within the context of these
> attacks.  That fact is, I believe, the overriding point.  EDNS0 is not
> hardly going to be put into mothballs anytime soon, so the only important
> question now is "How can the attacks be prevented or mitigated?"  (Still,
> while attempting to find an answer to that question, it is important to
> keep in mind that teensy-weensy ``attack'' packets are not actually THE
> problem.)
> 
>> ....  >
>>> At which server? The numerous DDoS-participating individual intermediaries?
>>> Or the (singular) DDoS victim?
>> 
>> It wouldn't hurt to learn about the DNS protocol in general and DNS
>> reflection attacks in particular before parachuting in with the Final
>> Ultimate DNS Reflection DoS Attack Solution.
> 
> Vernon, I cannot thank you enough for your explicit and unambiguous
> condescension.   The way I figure it, any idea that warrants quite
> such a level of unprovoked animosity, coupled with an implicit resort
> to what I believe is traditionally referred to as an argument based
> upon a "appeal to authority" (in lieu of anything persuasive) can't be
> all bad.  I confess that earlier, I was unsure about the merits of the
> modest idea I had put forward here, but now I am both invigorated and
> enthused about pursuing it further.  It must have genuine merit if it
> can garner such hostility without even hardly trying.
> 
> As regards to "parachuting in", I do agree completely that this is
> most definitely a mode of of transporation worthy of avoiding, and
> I myself avoid it at all costs and at all times.  You see, I have an
> overwehlming fear of heights, which is probably just as well, since
> it prevents me from acquiring an over-lofty opinon of the infallibility
> of my own opinions.   (I am personally acquainted with a few people who
> do suffer from that condition, and I can tell you based on personal
> experience that they really are frightful bores.)
> 
> With regards to making grandiose claims of having developed a Final
> Ultimate solution to any sort of problem(s) relating to the Internet,
> as enticing as that sounds, to the best of my knowledge (and unless
> I have been sleep-posting recently without having been conscious of
> it) I personally have never engaged in that sort of personal puffery.
> I suspect that you may perhaps have gotten me mixed up with someone
> else, perhaps even that fellow who seemed to be making such claims
> relating to some sort of checksum-based anti-spam scheme.  (I'm sorry,
> but I really do not remember his name at the moment.  I'm sure that
> it will come to me, but if it doesn't it short order I'm sure that
> I can always google for it.)
> 
> While the foregoing points are all interesting diversions, I think
> that it might actually be useful to return, civilly and with respect,
> to the issue at hand, and perhaps even to the question you saw fit not
> to answer.
> 
> Returning to the technical discussion that preceded the entertaining
> but otherwise vapid and vacuous diversions, please allow me to once
> again attempt to draw your attention towards the very specific comments
> you made about how you thought the DDoS problem really should be, and
> needed to be solved.  Here are those specific comments again:
> 
>> Unfamiliar (no cookie) DNS clients that show
>> some (or no) sign of badness could be sent to TCP, could be given
>> lower rate limits, ignored entirely (dropped), or whatever makes
>> sense at the server.
> 
> I merely asked you to clarify, for the record, that when you said
> "...whatever makes sense AT THE SERVER" you were intending to refer,
> very specifically, to the entire SET of servers which were, or which
> would be acting as "reflectors" during a DNS reflection attack.  (I
> assume, based upon the context of your comments, that this is indeed
> what you meant to say, however if not then I politely offered you an
> opportunity to clarify that, and do so again now.)
> 
> I believe that what have here is a failure to communicate.  My question
> was not actually prompted by the kind of abundant ignorance of the topic
> at hand which you seem a bit too eager to impute to any person or state-
> ment which does not entirely or immediately conform to your personal
> view of either the problem or its solution.  Rather, my question was
> prompted, neither by misunderstanding nor ignorance, but rather by
> common courtesy.  This may perhaps have inadvertantly contributed to
> your inability to properly understand it.  No matter.  I will try
> putting the question a different way and see if that helps.
> 
> The view that you were apparently putting forward, via your comments quoted
> immediately above, seems to be that the `right'' solution to the DNS re-
> flection DDoS problem is that the entire set of servers that are partici-
> pating as reflectors in a DNS reflection attack should all, individually
> and collectively, take specific steps to limit the damage being wrought 
> as a result of the attack, and that they should do so based upon "whatever
> makes sense" from the viewpoint of each of those servers.  (If I am mis-
> quoting or taking out of context I feel sure that you will be johnny-on-
> the-spot to offer to correct me.)
> 
> So anyway, far be it from me to suggest or even to imply that _any_ server
> should at any time do anything other than (as you yourself put it) "whatever
> makes sense".  Doing "what makes sense" is, by definition, always the sensible
> thing to do.  On that I believe we agree.  Where we may perhaps diverge is
> on a different and in some ways more fundamental point.
> 
> I call your attention to another comment that you yourself made:
> 
>> Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
>> at reflectors) are hard even to detect except at the victim.
> 
> Based upon that clear and unambiguous comment, I put to you the clear,
> simple, and obvious question:  If only the victim can even detect
> that an attack is ongoing, then how exactly are the numerous machines
> that are only being used as reflectors to be expected to do _anything_
> useful in the way of mitigating the attack, EVEN IF they are all,
> individually, collectively, and within each of their respective local
> contexts doing "whatever makes sense"?  How exactly will they contribute
> to mitigating a problem that they do know even exists?
> 
> I am sincerely eager to be tutored by your eloquence, unambiguous
> intellectual prowess, and unfathomably deep understanding as you
> explain to me how the various reflector machines... including those
> that are doing "whatever makes sense"...  are going to be induced
> to take steps to mitigate an attack that they themselves do not even
> know is occuring.  (This certainly promises to be, um, interesting.)
> 
>> ... EDNS0 was not the genesis of DNS reflection attacks,
> 
> I agree that EDNS0 was not the genesis of DNS reflection attacks GENERALLY...
> just the modern really bad ones.
> 
>> "intermediary" is a poor fit for a recursive
>> DNS resolver (but might fit a stubb resolver).
> 
> After a long and productive day of playing Minesweeper, I do so enjoy
> settling down to play a nice long relaxing game of "My terminology is
> more better than your terminology."  If only I had a dollar for every
> hour I have whiled away in this endlessly enjoyable leisure pursuit...
> 
>> "Intermediary" simply does not fit the problem of open resolvers in
>> DNS reflection attacks...
> 
> Your right, of course, Vernon.  (Sorry. For a moment there I forgot
> that we can all just assume that, as a default, in all cases.)  On
> second thought I don't much like the term "intermediary" either.
> So in future, let's just agree, by mutual consent, to call them
> "rouge manifolds" instead.  Yes!  That's the ticket.  I'm confident
> that using that term instead will make the meaning more immediately
> obvious and apparent to all participants.
> 
>> "Singular DDoS victim" is off the mark compared to "DDoS victim."
> 
> Given that several new members are inducted... unwillingly... into this
> ever-less-exclusive club every bleedin' day now, I cannot, and will not
> hardly argue the matter.  Far from it.  You have a point sir.  Singular
> they most certainly are not!  Abundant be they.
> 
> (Good!  Like the Right Honorable James Hacker, I also always like to end
> on a note of agreement.)
> 
> 
> Regards,
> rfg
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

---
Schizophrenia beats being alone.

More information about the bind-users mailing list