[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS Server DoS Attacks

To: namedroppers@ops.ietf.org
Subject: Re: DNS Server DoS Attacks
From: Edward Lewis <edlewis@arin.net>
Date: Mon, 25 Nov 2002 10:02:42 -0500
In-reply-to: <2147483647.1038068410@macleod.hilander.com>
References: <000f01c2932f$92542810$c57ba8c0@laptoy><2147483647.1038058634@macleod.hilander.com><20021123214339.GC6789@osprey.the-paynes.com><2147483647.1038068410@macleod.hilander.com>

At 16:20 -0700 11/23/02, Alec H. Peterson wrote:

So let me re-state in no un-certain terms my goal here, so that nobody can
imply anything that is not meant to be implied from my statements.

My proposal (essentially a second TTL that keeps records around longer in the
event that authoritative servers are unable to answer) is _NOT_ meant to be any
sort of 'solution' to DoS attacks. I feel that it is still incredibally
important for us to do everything that we can to secure the edge and keep these
attacks from happening.

The problem with the proposal is that it breaks one goal of the DNS. DNS is a distributed database and as such needs to maintaining coherency in the answers it gives. The TTL is the main parameter that is available to allow caches (needed to alleviate high demand on authoritative servers and paths to them) to attempt to remain coherent. By instructing caches to hold data any longer than the TTL, you are making it less likely the DNS can maintain coherency.

It is also important to note that the TTL is really the only way a zone, via an authoritative server, can inform remote caches of how often the zone expects to refresh the data. Masters and slaves have the SOA parameters to govern zone transfer schedules. The last parameter in the SOA is used for negative caching, and just that, in caches.

If we were to add a second TTL (as in 'in emergency'), then a lot of other activity in DNS would be more complicated. E.g., in considering key roll over, we are trying to determine how much time should elapse before removing a key. The current calculation involves the TTL as part of an estimate as to when a key will completely disappear from the DNS.

That's the more pragmatic answer as to why addressing DOS by encouraging caches to hold data longer should be discouraged. A more philosophical answer is that addressing security concerns should not overwhelm the main mission. No answer to a vulnerability should alter DNS's core goals, and database coherency is one of the most important.

Since we often drop in to gross analogies when trying to dismiss an idea, I will include this one:

This would be like amputating your hand so that that you won't break a finger.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- RE: DNS Server DoS Attacks
  - From: "John M. Brown" <john@chagres.net>
- RE: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>
- Re: DNS Server DoS Attacks
  - From: Rob Payne <rnspayne@the-paynes.com>
- Re: DNS Server DoS Attacks
  - From: "Alec H. Peterson" <ahp@hilander.com>

Prev by Date: RE: DNS Server DoS Attacks
Next by Date: Re: DNS Server DoS Attacks
Previous by thread: Re: DNS Server DoS Attacks
Next by thread: RE: DNS Server DoS Attacks
Index(es):
- Date
- Thread