DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message <51BAA714.9020101 at dougbarton.us>, 
Doug Barton <dougb at dougbarton.us> wrote:

>It's obvious you're frustrated (understandable), and enthusiastic 
>(commendable), but you  might want to consider dialing down your 
>"rhetoric" a bit.

Great idea!  I have only one small question... Would you be willing to
provide me an example to follow?  If so, please proceed.

>You've had responses from people here who have been 
>working on this problem for years,

Yes.  On the order of 13 years it appears.

Based on recent reports, I am forced to conclude that the people of whom
you speak have not actually managed to solve the problem, even given all
that time.

> and have a deep understanding of it.* 

Yes.  And that deep understanding has apparently not been successful in
resolving the problem, I think.  On the other hand, maybe you think that
it _has_ been successful in solving the problem.  If so, all I can say
is that I would hate to see what failure looks like.

>Trying to understand what they're telling you, and its implications, 
>would really help your situation.

I understand that you hold the view that it is self-evident that I must
not understand something, simply because I do not accept without
question the prevailing conventional view of this problem and its
possible solutions.  I do wonder however if the possibility, however
unlikely, ever crossed your mind that perhaps I _do_ actually understand
both the problem and the issues, and that I just happen to disagree
with the conventional wisdom with respect to these matters, a con-
ventional wisdom that, from where I am sitting at least, appears to
have so far succeeded in producing absolutely nothing in the way of
either a solution or even observable progress over all of the past
thirteen years.

>>> No. You can still get pretty good amplification with 512 byte responses.
>>
>> That is an interesting contention.  Is there any evidence of, or even any
>> reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC
>E
>> using strictly 512 byte packets?
>
>You're asking the wrong question. Attackers don't go out of their way to 
>find open resolvers that they are sure will return 4k packets.

That also is an interesting contention.  May I ask what the factual basis
was for your conclusion here?

>The important point being (as others have made to you) that this is not 
>an EDNS0 issue.

Yes, I see that Vernon said that.  I continue to await the concrete
evidence that supports that view.

>It's also worth noting that I realize this wasn't the 
>main point you were trying to make,

Well, that is something anyway.

>but it will probably be helpful for 
>you to get your facts straight.

I am happy to have my facts straightened by you, or by anybody else.  But
not on the basis of hand waving and stern assurances on the part of
"experts" when unaccompanied by hard evidence.  (I know that my in-
sistance on evidence, rather than traditional "appeals to authority",
put me in the category of "difficult to work with" in some people's
mind, but I would rather be right and make progress, as opposed to,
you know, unquestioningly accepting the herd's current conventional
wisdow, showing no progress over a long period of time, and being loved.)

>> If that's actually a real problem, then I am forced to assume that there
>> must have been numerous reliable reports of successful and devastating
>> DNS reflection DDoS attacks which pre-dated the widespread adoption of
>> EDNS0.
>
>Again, you're making the wrong argument. As others have pointed out to 
>you, DNS amplification is just the attack du jour.

I wonder of you are familiar with the actual English translation of the
term "du jure".  I and others who have been attacked in this manner
might be inclined to take offense from your making light of the time
frame over which these kinds of attacks have been occuring.  I assure
you that it has been quite a bit more than a single day.  In fact it
has been closer to ten years.

>There is evidence at 
>the moment that the kiddies are already moving to chargen

I believe that the applicable British word is "bollix".  I see nothing
anywhere on the Internet that amounts to what any reasonable person would
call "evidence" to support your contention here.  There is a grand total
of -one- lone anecdotal report of a recent event involving what someone
apparently believed must have been chargen, but even that report is
utterly lacking in detail, including especially the most important
detail, i.e. whether or not that one (alleged) lone chargen ``attack''
produced anything at all in the way of damage or even noticable hardship
on the part of the ``victim''.

One swallow does not a summer make.  Your contention that "kiddies"
(plural) are "moving to chargen", based on one lone anecdotal report
appers to me to be more well rooted in hysteria than factual evidence.
And hysterial claims do not typically advance a technical discussion,
so please let us stick with the facts.

(And by the way, I cannot help but observe that your contention that
chargen is the next great meance to society is, I'm sorry to say,
laughable on the face of it.  Please do name all of the operating
systems and/or even all of the specific bits of hardare that you
believe have shipped with chargen both open and active anytime over
the last 15 years.  As boogie men to frighten an ill-informed public,
I'm sure that dinosaurs do work quite well.  In this case however,
I think that you may find that it will be difficult to stampede or
scare the potatoes out of the general populace by presenting them
with the looming specter of scary types of long-extinct attack
dinosaurs that have been dead and stiff for over 15 years already.)

>>> There is no quick fix.
>>
>> I will settle for a slow one.
>
>Then you really want to learn more about response rate limiting

I read Vixie's paper.  I do apologize for the fact that although I read
it and understood it, I reserve the right to disagree that it represents
the One, the True, the Only solution to the problem under discussion.
I understand and accept that my own personal lack of conventional re-
ligious convictions often puts me outside of whatever is considered
the "mainstream", but I think that you err when you assume that anyone
who is not immediately awestruck by the utter and undeniable brilliance of
Vixie's (still pending) "solution" must obviously not have understood
it properly.  Foreign though it may be to your conception, it is in fact
possible to both understand and to simply disagree.

But let us be specific.  Vixie's as yet unimplemented proposal involves
arranging to have machines that might participate in a DNS reflection
all voluntarily participate in "rate limiting", which kicks in when
when those machines themselves notice that something is amiss.  But
I would like to call your attention to something that Vernon said just
yesterday:

>Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
>at reflectors) are hard even to detect except at the victim.

I agree completely with Vernon on the above point.

Now, I would simply like to know how Vixie's rate limiting scheme solves
this problem.   If you can provide an answer to that question, please do
proceed.

>... but the real answer is still going to be BCP 38...

I have two responses to that:

1) Yes, yes, and yes.  BCP 38 is clearly the wave of the future, has been
for the pst 13 years, and unfortunately perhaps always will be.  I agree
completely that BCP 38 is a profoundly good *and* a profoundly necessary
thing.  We have no disagreement about that whatsoever.  I merely made
a modest suggestion for an idea, a scheme, that could perhaps assist to
mitigate DNS reflection attacks in the time period over the _coming_
13 years, during which we shall all most certainly continue to work,
diligently, towards the goal of BCP 38's universal implementation.

2)  If indeed BCP 38 is ``the real answer'' then why is anybody wasting
any time, energy, or effort implementing, adopting, or even talking about
Vixie's rate limiting scheme?  John Levine seems to be of the opinion
that _any_ work on _any_ scheme or plan or implementation of anything
other than BCP 38... presumably with the exception of sleeping, eating,
and procreating... is and will be necessarily and inescapably Bad as it
will inevitably subtract time, effort, and energy away from what must be
the one and only set of goal posts, i.e. the universal deployment of BCP 38.
(I am frankly not sure if John is allowing any exceptions to this general
rule that he put forward.  He made it clear that he thinks that any
time spent on _my_ modest proposal would be 100% wasted, but refrained
from applying his logic even-handedly also to Vixie's rate limiting
scheme which is itself also not BGP 38, and which thus, one would think,
should, by John's logic, also and likewise be viewed as an utter waste
of time.)
 
>> I am not persuaded that we have even really begun in ernest a process that
>> is likely to lead to that result.  Almost everybody, even 13 years later,
>> is still hoping for, and praying for, some utterly cost-free and pain-free
>> solution to drop down out of the sky like mana from heaven.
>
>Again, you need to become more familiar with the efforts that have been 
>ongoing for years.

Again, I call your attention to what I, and presumably many many other
attack victims consider to be a rather salient point, i.e. that despite
having worked on the problem for a period already considerably longer
than the time it took NASA to put a man on the moon, the folks involved
in the "efforts" of which you speak do not seem to have produced anything
in the way of tangible results, or even tangible progress against the
problem in all that time.  Given this record of utter failure on the
part of the many illustrious experts who have so far been working the
problem, I do not think that it was either unreasonable or unwarranted
for me, or for anyone else for that matter, to have tossed another modest
little idea into the ring.  We could hardly do worse than the illustrious
experts have managed to do over all these years.

(I do not anticipate that my act of pointing out the nakedness of certain
potentates is likely to earn me universal accolades, but then I didn't
start this thread for love... at least not the love of anyone here.)

If I have been insufficiently clear, perhaps a small graphic illustration
will help to clarify my point above:

http://i7.photobucket.com/albums/y280/BrannonB/GaryLarsonHumptyDumpty.gif

>Mark also made an excellent point about legislation for BCP 38 being an 
>unfortunate necessity at this point.

Please do forgive me as I "misunderstand" again, but my own view is that
the excellence, or lack thereof, of Mark's point is at best debatable.

Pray tell when is this hypothetical future legislation likely to be
arriving on the President's desk?  Is the plan to attach it as a rider
to the next bit of gun control legislation that is taken up in the House
in order to insure its immediate and unanimous passage?  (Thank god
we have such an efficient, harmonious, and well-functioning Congress.
What hope would we have of getting such legislation adopted and sent
to the President in the absence of that?)

And more to the point, how will adoption of said legislation, even if
achieved in our lifetimes, and even if achieved universally throughout
all of Europe, the Americas, and Africa, going to affect in any way the
network configuration policies of either the South Koreans or, more
importantly, the Chinese?  Is the plan to simply hold our collective
breaths until we either turn blue or the Chinese give in and accept
our preferred way of doing things?  (That approach seems to have worked
out oh so well in the case of Darfur, don't cha think?)

Regards,
rfg