DNS Amplification Attacks... and a trivial proposal

Doug Barton dougb at dougbarton.us
Sat Jun 15 00:41:30 UTC 2013 

On 06/14/2013 05:13 PM, Vernon Schryver wrote:
>> From: Doug Barton <dougb at dougbarton.us>
>
>>          is that (like RRL) your proposal relies on people updating their
>> software.
>
> RRL needs only authority and open recursive servers to be updated.
> The vast majority of DNS installations are closed recursive and stubb
> servers that do not need RRL.  (A case could be made for RRL on a
> minority of private recursive servers.)

You're right of course, but unfortunately at least where open resolvers 
are concerned the same people who operate open resolvers are also those 
least likely to know what RRL is, or why it's needed; and are also least 
likely to actually upgrade old software. So a statistically significant 
percentage of the "long tail" problem is going to apply to those who 
would provide the most benefit from making the change.

I could therefore make a pretty strong case that RRL should be on by 
default, but I realize that's incredibly unlikely to fly. :)

> Other ideas that I like such as DNS cookies would need more widespread
> changes, which makes enthusiasm for them taxing.

Yeah, that's unfortunate since if it's a good idea it's worth 
implementing no matter how long it takes to be beneficial. The time will 
pass either way.

>>                                      RRL is actually useful for DDOS
>> attacks against the authoritative server itself. There are likely other
>> reasons, but those are the most obvious (to me anyway).
>
> That's in the RRL sales story that I've been flogging since before the
> first version of the RRL patch, but so far it has been only incidentally
> true.  Some DNS server operators have reported drastic reductions in
> network and CPU load during attacks thanks to RRL, but they were not
> the intended victims of the attacks.

Personally I've never understood why RRL wasn't already baked in. The 
only way a legitimate client could send the same query over and over in 
a short period of time (intentionally being vague on both terms) is that 
it is broken. We did the smart thing to solve that problem on the 
iterative side 10 years ago, I don't know why it's taken so long to 
solve the auth side. :)

Doug

More information about the bind-users mailing list