[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Mon Feb 27 00:20:28 UTC 2006


# Some (I think it was Bill?) said this can kill some applications such as 
# DNS-SEC, now.. not to nitpick but I don't exactly see DNS-SEC around.

we'd like to leave the door open for Secure DNS, rather than slamming it as
has been effectively done for SNMPv3.  (anybody tried wide-area UDP/161
lately?)

# What other applications using larger packets would it break?

responses containing AAAA RR's are one example.  RFC 2671 was not written
pointlessly, or at least i hope (as its author) that it wasn't pointless.

# How large would the packets for these applications be? Surely if they 
# are, say, 1024, it's better than 4 K's.  :)

as others here have also pointed out, the attack does not depend on 4K or
even 1K... if an attacker gets a smaller amplification factor from the open
recursive dns servers, they can ramp up the number of flows until the victim
is seeing the right number of gigabits per second.  any remediation method
related to 4KB or 1500B or 1KB or fragmentation or EDNS is just a band-aid.

# Also, wasn't the problem packet fragmentation? What am I missing?

the people who know a lot about the recent attacks are mostly not talking
other than to say fragments were involved, which is obvious when you consider
the usual 1500B MTU on at least one end, the lack of in-core reassembly, and
the now-general knowledge that the data at the domain in the subject of this
mail message contains a near-4K TXT RRset.



More information about the dns-operations mailing list