[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DNS Server DoS Attacks

To: "'Alec H. Peterson'" <ahp@hilander.com>,<namedroppers@ops.ietf.org>
Subject: RE: DNS Server DoS Attacks
From: "John M. Brown" <john@chagres.net>
Date: Sat, 23 Nov 2002 00:47:04 -0700
In-reply-to: <1507321518.1037986651@d58.wireless.hilander.com>
Organization: Chagres Technologies, Inc
Reply-to: <john@chagres.net>

packet forwarding engines won't tell the difference between 
a good query and a bad query without serious penalty to the
PFE performance.

your idea would break caching and cause more flotsam to hang 
around in various systems. 

personally, I like having things cache age out of the DNS
during an attack.  lets me change the A RR for a victim to
a different IP.  Useful for those scripts that don't update
their cached IP for the victim name.


three things will help provide better strength against DDOS
attacks.

a)  properly managed anycast of the root infrastructure.

b)  securing the edge of the net.  remove the zombie hosts
    and they can't be used as a tool.

c)  signing the root zone, more for layer 8 reasons than others.

when providers decide to start applying various tools to improve
security on the edge (ergo clients) things will become better.

John M. Brown, CEO
Chagres Technologies, Inc
Le Geek


> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org 
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Alec H. Peterson
> Sent: Friday, November 22, 2002 5:38 PM
> To: namedroppers@ops.ietf.org
> Subject: DNS Server DoS Attacks
> 
> 
> These attacks seem to be on the rise.  There were the 
> well-publicized ones 
> on the root servers a few weeks ago, and yesterday UltraDNS 
> was hit with 
> one.  It occurs to me that these attacks have the potential 
> to completely 
> shut down the DNS system if they are structured properly.  I 
> have a thought 
> on how to make the system more resiliant to authoritative 
> servers getting 
> hammered, and was interested in some thoughts on it.
> 
> My thought is to add another TTL to DNS responses, similar to the SOA 
> maximum parameter.  The current TTL would be similar to the 
> SOA minimum. 
> This would still allow for records to expire in a reasonable 
> amount of 
> time, but it would also allow for DNS responses to be 
> answered in the event 
> that servers in the hierarchy are unreachable for some 
> reason.  It occurs 
> to me that it is possible to retrofit existing DNS servers to 
> have a static 
> maximum timeout without any protocol modifications.
> 
> Anyway, the way I see it since DNS already has a caching 
> infrastructure 
> built in it makes sense to take extra advantage of that 
> infrastructure when 
> things are under attack.
> 
> Alec
> 
> --
> Alec H. Peterson -- ahp@hilander.com
> Chief Technology Officer
> Catbird Networks, http://www.catbird.com
> 
> --
> to unsubscribe send a message to 
> namedroppers-request@ops.ietf.org with the word 'unsubscribe' 
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
> 


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- RE: DNS Server DoS Attacks
  - From: Randy Bush <randy@psg.com>
- RE: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

References:
- DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

Prev by Date: Re: axfr-clarify on the move again
Next by Date: Re: axfr-clarify on the move again
Previous by thread: Re: DNS Server DoS Attacks
Next by thread: RE: DNS Server DoS Attacks
Index(es):
- Date
- Thread