[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS Server DoS Attacks

To: namedroppers@ops.ietf.org
Subject: Re: DNS Server DoS Attacks
From: Paul Vixie <paul@vix.com>
Date: Sat, 23 Nov 2002 01:54:00 +0000
In-reply-to: Message from "Alec H. Peterson" <ahp@hilander.com> of "Fri, 22 Nov 2002 17:37:31 MST."<1507321518.1037986651@d58.wireless.hilander.com>

> My thought is to add another TTL to DNS responses, similar to the SOA 
> maximum parameter.  The current TTL would be similar to the SOA minimum. 
> This would still allow for records to expire in a reasonable amount of 
> time, but it would also allow for DNS responses to be answered in the event 
> that servers in the hierarchy are unreachable for some reason.

keeping copies of somebody else's authoritative data and using or reusing
them beyond the (TTL,SOA) parameters would be a disaster.  even with DNSSEC
it will be dangerous, but the amount of bad data that would circulate without
end under such a scheme is unthinkably horrible.  (BIND has been criticised
for accelerating TTL depreciation when reusing additional data, but this is
the kind of data pattern this was designed to end.)

> It occurs to me that it is possible to retrofit existing DNS servers
> to have a static maximum timeout without any protocol modifications.

at the moment, only 2% of the queries hitting the root servers actually need
to be answered -- the rest is pure swill, just errors and sideeffects.  there
is, unfortunately, no way to know in the upstream routers which 2% is which,
and so we deliver the whole thing and answer it as best we can.  what this
means, though, is that the impact on a root server attack would take several
days to be felt.  while pulsar-style attacks can be harder to track to source,
the "off" part of the cycle leaves time for retries to succeed and thus let
the "useful" 2% still bear some fruit.  a solid attack lasting several days
would be trackable, unless it comes from a million-drone windows/xp army,
which leads to the ugly necessary of "massive-scale bgp4 anycasting", which
at least two root server operators are already planning to implement.

(or we could secure the edge, but i guess that's too hard.)

> Anyway, the way I see it since DNS already has a caching infrastructure 
> built in it makes sense to take extra advantage of that infrastructure when 
> things are under attack.

if people would just cache what they already receive, then 98% of the queries
seen by the root servers would never be sent.  so, i think there's ample
evidence to refute the idea that the internet's caching infrastructure is
a model we can build on.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

References:
- DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

Prev by Date: DNS Server DoS Attacks
Next by Date: Re: DNS Server DoS Attacks
Previous by thread: DNS Server DoS Attacks
Next by thread: Re: DNS Server DoS Attacks
Index(es):
- Date
- Thread