Re: recursive DNS servers DDoS as a growing DDoS problem



Geo. wrote:
The flood is a flood of answers not queries, you spoof the source address of
a query with the address of your target, the target gets the response from
the dns server. A cache on the dns server just makes it a more efficient
response.

Queries are bad enough. This can be played with from any point in the chain. I.e. from the amount of querying clients, the number of so-called "relaying servers", possible /effective/ amplification and the size of the TXT SOA record.

Increase any of these and you somewhat increase the attack if one of the others is controlled. So treating just one is not really a solution.

We provided with an equation of sort to this effect in the paper we pre-released for the community when the FUD started (was supposed to eventually be an academic paper):
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

Yes, in my opinion recursion should be put under better control, but it's what-a-mole all over again if we do it by running after servers. The problem here (if we are to ignore just for a moment other UDP/DNS attacks) is with the attack vector - spoofing.

Many networks today allow spoofing.

Should recursion by default be disabled? Yes. Is it a problem when done insecurely? Yes. Is it what we should run after on the "client-side" servers? No, or maybe not Yes but not Only.

I have not seen a perfect solution yet, at best the solutions I've seen
mentioned eliminate this one flood vector. I would suggest that when
considering which one to choose we look at what we lose with each choice.
Eliminate spoofing and you lose virtually nothing, eliminate open recursive

I am with you so far. Spoofing is not the only problem of the Internet by far, but is is a problem mostly ignored thus far as it was not actively exploited *sniff*

servers and you have just created a really powerful control mechanism for
entities to control large sections of the internet since folks from those
sections won't be able to use anyone else's DNS servers or even run their
own (much like port 25 blocking limits who can run a mail server today). He
who controls dns controls the network.

Is this like when you brought up Government conspiracies in this regard on another list?

I can understand discussion going on with different lists, I sin with that myself recently. There were no direct lists to handle DNS or botnets issues until not long ago, still - should we just skip a list whenever you are disagreed with?

Gadi.



Relevant Pages

  • Re: [RFC] Automated generation of /etc/resolv.conf from the rc.d script
    ... DNS servers we learn from DHCP. ... +# resolv. ... Implement creation of namedforwarders file via /etc/rc.d/resolv ... +as the first DNS server when building of the forwarders file is enabled. ...
    (freebsd-current)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... network on the 1.0.0.x subnet and some DNS servers on the 200.1.1.x subnet, ... When you added the 1.0.0.x address to the DNS server, ... If you don't have the 1.0.0.x application servers and the 1.0.0.x DNS ... If only the 1.0.0.x network is having trouble, ...
    (microsoft.public.windows.server.dns)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... I thought you said the 200.1.1.x network was having problems. ... between the 1.0.0.x application servers and the DNS servers? ... Can you ping the DNS server from the application server? ... confers no rights. ...
    (microsoft.public.windows.server.dns)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... When I added the 1.0.0.x IPs to the respective NICs on the DNS server, ... the application servers and devices on the same network 1.0.0.x experienced ... IPs to the TCP/IP properties on the respective DNS Servers ...
    (microsoft.public.windows.server.dns)
  • Re: Learned a lesson- Redundant servers possible?
    ... >trying to come up with a way to have two servers at two locations. ... The answer in a way depends on how much of the hardware you control. ... and a control system co-located with the DNS server that is ... extra work on those hosts that will be sending ...
    (linux.redhat)