DNS Amplification Attacks... and a trivial proposal

[Doug Barton]

Ronald,

You started this thread a bit off topic, but now you've wandered pretty 
far off into the rhetorical weeds. So I'm going to respond to you here 
so that the archives have a little more utility, then I'm going to let 
you have the last word.


On 06/14/2013 02:04 PM, Ronald F. Guilmette wrote:
>
> In message <51BAA714.9020101 at dougbarton.us>,
> Doug Barton <dougb at dougbarton.us> wrote:
>
>> It's obvious you're frustrated (understandable), and enthusiastic
>> (commendable), but you  might want to consider dialing down your
>> "rhetoric" a bit.
>
> Great idea!  I have only one small question... Would you be willing to
> provide me an example to follow?  If so, please proceed.

So let me be a little more clear. You're engaging in frivolous arguments 
and borderline ad hominem attacks. Neither is particularly useful, and 
have only served to obscure whatever utility your proposals may have had.

>> You've had responses from people here who have been
>> working on this problem for years,
>
> Yes.  On the order of 13 years it appears.

Regarding BCP 38, longer than that actually. And yes, progress has been 
made, but it's still an active problem (for reasons already discussed).

> Based on recent reports, I am forced to conclude that the people of whom
> you speak have not actually managed to solve the problem, even given all
> that time.

Your conclusion is correct, even though your premise is faulty. In 
addition to the aforementioned problem of the costs associated with BCP 
38, there is also the problem of new operators coming on to the scene 
that need education. It's not a problem that can be "solved," it 
requires an ongoing effort under the best of circumstances.

>> and have a deep understanding of it.*
>
> Yes.  And that deep understanding has apparently not been successful in
> resolving the problem, I think.

Again, false premise, this time with a bonus false conclusion. 
Understanding what causes a problem is different from being able to wave 
a magic wand and solve it. Especially with DNS which has a very long 
tail of deployed software that does not get upgraded.

> On the other hand, maybe you think that
> it _has_ been successful in solving the problem.  If so, all I can say
> is that I would hate to see what failure looks like.

Nice rhetorical flourish, but again, totally unhelpful.

>> Trying to understand what they're telling you, and its implications,
>> would really help your situation.
>
> I understand that you hold the view that it is self-evident that I must
> not understand something, simply because I do not accept without
> question the prevailing conventional view of this problem and its
> possible solutions.  I do wonder however if the possibility, however
> unlikely, ever crossed your mind that perhaps I _do_ actually understand
> both the problem and the issues, and that I just happen to disagree
> with the conventional wisdom with respect to these matters, a con-
> ventional wisdom that, from where I am sitting at least, appears to
> have so far succeeded in producing absolutely nothing in the way of
> either a solution or even observable progress over all of the past
> thirteen years.

Pardon my being blunt, but you have a fundamental lack of understanding 
about the basic facts at hand, therefore it would be hard for me to 
conclude that you do understand the problem. Regarding your proposed 
solution, you yourself dramatically revised it within a very short 
period after your first post, thus it would be reasonable to conclude 
that the best case scenario is that your understanding of the solution 
is evolving.

Please note, these observations are not meant to be pejorative. As 
Vernon pointed out you have "parachuted in" with "the one true 
solution," and you're berating anyone who dares to disagree with you. It 
would be helpful for you to look at the situation from our perspective.

>>>> No. You can still get pretty good amplification with 512 byte responses.
>>>
>>> That is an interesting contention.  Is there any evidence of, or even any
>>> reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC
>> E
>>> using strictly 512 byte packets?
>>
>> You're asking the wrong question. Attackers don't go out of their way to
>> find open resolvers that they are sure will return 4k packets.
>
> That also is an interesting contention.  May I ask what the factual basis
> was for your conclusion here?

The overwhelming collected evidence of how botnets work, and how the 
attackers use them would be a good start. I don't follow the topic in 
depth, but I do try to keep up to speed on the highlights. You should 
probably spend some time learning about the details yourself. It's not 
my job to do your homework for you. :)

And yes, I understand that you feel (erroneously) that this is an 
"appeal to authority" fallacy. However there is a vast difference 
between "it's true because I say so," and, "Go do your own homework, 
because the facts exist to support that what I'm saying is true."

It's probably also worth noting that if your attitude was a little more 
collegial people would be more likely to help you.

>> The important point being (as others have made to you) that this is not
>> an EDNS0 issue.
>
> Yes, I see that Vernon said that.  I continue to await the concrete
> evidence that supports that view.

Again, it's a very handy rhetorical device to say, "Please prove that my 
absurd perspective is wrong before I will listen to you." Doesn't 
advance the conversation at all, but it is a handy position for you to 
take. :)

>> It's also worth noting that I realize this wasn't the
>> main point you were trying to make,
>
> Well, that is something anyway.

Glad I could help.

>>> If that's actually a real problem, then I am forced to assume that there
>>> must have been numerous reliable reports of successful and devastating
>>> DNS reflection DDoS attacks which pre-dated the widespread adoption of
>>> EDNS0.
>>
>> Again, you're making the wrong argument. As others have pointed out to
>> you, DNS amplification is just the attack du jour.
>
> I wonder of you are familiar with the actual English translation of the
> term "du jure".

Well according to Google it's, "the swear." But I'm not an expert in French.

> I and others who have been attacked in this manner
> might be inclined to take offense from your making light of the time
> frame over which these kinds of attacks have been occuring.  I assure
> you that it has been quite a bit more than a single day.  In fact it
> has been closer to ten years.

So again, nice bombastic rhetoric, but totally unrelated to anything 
useful.

>> There is evidence at
>> the moment that the kiddies are already moving to chargen
>
> I believe that the applicable British word is "bollix".

Actually I think you're looking for "bollocks." Bollix is something else 
entirely.

> I see nothing
> anywhere on the Internet that amounts to what any reasonable person would
> call "evidence" to support your contention here.  There is a grand total
> of -one- lone anecdotal report of a recent event involving what someone
> apparently believed must have been chargen, but even that report is
> utterly lacking in detail, including especially the most important
> detail, i.e. whether or not that one (alleged) lone chargen ``attack''
> produced anything at all in the way of damage or even noticable hardship
> on the part of the ``victim''.

You're free to ignore whatever you don't think is enough evidence to 
satisfy you about a specific attack. However the larger point remains 
that DNS amplification is not the only way to DOS someone, and that if 
we solve that problem tomorrow the day after tomorrow there will be a 
new attack that uses the lack of BCP 38 to function.

> (And by the way, I cannot help but observe that your contention that
> chargen is the next great meance to society

Not at all what I said, and again, totally unhelpful rhetoric.

>>>> There is no quick fix.
>>>
>>> I will settle for a slow one.
>>
>> Then you really want to learn more about response rate limiting
>
> I read Vixie's paper.  I do apologize for the fact that although I read
> it and understood it, I reserve the right to disagree that it represents
> the One, the True, the Only solution to the problem under discussion.

It's not, and the authors/proponents of RRL don't claim it is. But it 
will help in the long run, for the specific case of DNS amplification.

> I understand and accept that my own personal lack of conventional re-
> ligious convictions often puts me outside of whatever is considered
> the "mainstream", but I think that you err when you assume that anyone
> who is not immediately awestruck by the utter and undeniable brilliance of
> Vixie's (still pending) "solution" must obviously not have understood
> it properly.  Foreign though it may be to your conception, it is in fact
> possible to both understand and to simply disagree.

It may surprise you to note that I rather often make the same point 
myself (disagreement != lack of understanding). However in this case you 
have not only demonstrated a non-trivial lack of understanding of the 
basic facts related to the topic; you have actively resisted attempts to 
educate you about them. That makes it rather difficult to take any 
conclusions you come to seriously.

> But let us be specific.  Vixie's as yet unimplemented proposal involves
> arranging to have machines that might participate in a DNS reflection
> all voluntarily participate in "rate limiting", which kicks in when
> when those machines themselves notice that something is amiss.  But
> I would like to call your attention to something that Vernon said just
> yesterday:
>
>> Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
>> at reflectors) are hard even to detect except at the victim.
>
> I agree completely with Vernon on the above point.
>
> Now, I would simply like to know how Vixie's rate limiting scheme solves
> this problem.   If you can provide an answer to that question, please do
> proceed.

Focusing on a specific aspect of the proposed solutions that doesn't 
seem to work to your satisfaction is (again) a nice rhetorical flourish, 
but it ignores the bigger picture. RRL will help, but it's not the 
complete solution, nor do its authors claim it is.

>> ... but the real answer is still going to be BCP 38...
>
> I have two responses to that:
>
> 1) Yes, yes, and yes.  BCP 38 is clearly the wave of the future, has been
> for the pst 13 years, and unfortunately perhaps always will be.  I agree
> completely that BCP 38 is a profoundly good *and* a profoundly necessary
> thing.  We have no disagreement about that whatsoever.  I merely made
> a modest suggestion for an idea, a scheme, that could perhaps assist to
> mitigate DNS reflection attacks in the time period over the _coming_
> 13 years, during which we shall all most certainly continue to work,
> diligently, towards the goal of BCP 38's universal implementation.

Yup, I understand what you're proposing (remember, disagreement != lack 
of understanding). The point that several people have tried to make to 
you now is that (like RRL) your proposal relies on people updating their 
software. In the DNS world we have a large problem with long tails of 
un-updated software continuing to be a nuisance. So to recap:

1. No matter how good they are, software-based solutions to the DNS 
amplification problem will take a very long time to be effective, where 
"very long time" is defined as at least a decade.

2. DNS amplification is only 1 in a long string of DDOS attacks, and as 
soon as the problem is fixed (or starts getting fixed in any kind of a 
meaningful way) other vectors will be developed and employed.

So at the end of the day, BCP 38, as frustrating as it is, is still the 
real answer.

> 2)  If indeed BCP 38 is ``the real answer'' then why is anybody wasting
> any time, energy, or effort implementing, adopting, or even talking about
> Vixie's rate limiting scheme?

Because every little bit helps, and RRL is actually useful for DDOS 
attacks against the authoritative server itself. There are likely other 
reasons, but those are the most obvious (to me anyway).

>>> I am not persuaded that we have even really begun in ernest a process that
>>> is likely to lead to that result.  Almost everybody, even 13 years later,
>>> is still hoping for, and praying for, some utterly cost-free and pain-free
>>> solution to drop down out of the sky like mana from heaven.
>>
>> Again, you need to become more familiar with the efforts that have been
>> ongoing for years.
>
> Again, I call your attention to what I, and presumably many many other
> attack victims consider to be a rather salient point, i.e. that despite
> having worked on the problem for a period already considerably longer
> than the time it took NASA to put a man on the moon, the folks involved
> in the "efforts" of which you speak do not seem to have produced anything
> in the way of tangible results, or even tangible progress against the
> problem in all that time.  Given this record of utter failure on the
> part of the many illustrious experts who have so far been working the
> problem, I do not think that it was either unreasonable or unwarranted
> for me, or for anyone else for that matter, to have tossed another modest
> little idea into the ring.  We could hardly do worse than the illustrious
> experts have managed to do over all these years.
>
> (I do not anticipate that my act of pointing out the nakedness of certain
> potentates is likely to earn me universal accolades, but then I didn't
> start this thread for love... at least not the love of anyone here.)

I get that you're really interested in knocking certain people down a 
peg or two, however your attitude combined with your ignorance just 
makes you come off as petty (or silly, for the more charitably 
inclined). If you really want to know why BCP 38 hasn't been deployed 
universally go educate yourself on the topic. It has nothing to do with 
lack of effort on the part of those that want to see it deployed, it has 
everything to do with the associated costs to the operators. If, on the 
other hand, your primary purpose is to insult people, well, good luck 
with that.

>> Mark also made an excellent point about legislation for BCP 38 being an
>> unfortunate necessity at this point.
>
> Please do forgive me as I "misunderstand" again, but my own view is that
> the excellence, or lack thereof, of Mark's point is at best debatable.
>
> Pray tell when is this hypothetical future legislation likely to be
> arriving on the President's desk?

Well Mark lives in Australia, so which president are you referring to?

> And more to the point, how will adoption of said legislation, even if
> achieved in our lifetimes, and even if achieved universally throughout
> all of Europe, the Americas, and Africa,

Don't forget Australia!

> going to affect in any way the
> network configuration policies of either the South Koreans or, more
> importantly, the Chinese?  Is the plan to simply hold our collective
> breaths until we either turn blue or the Chinese give in and accept
> our preferred way of doing things?  (That approach seems to have worked
> out oh so well in the case of Darfur, don't cha think?)

So what I think you're saying is that there is no universal solution, 
and that efforts should be put in a wide variety of areas (like RRL) to 
try to mitigate the problem as much as possible ... or maybe it's me who 
misunderstands. :)

Doug