[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

David Ulevitch davidu at everydns.net
Tue Jul 11 16:53:15 UTC 2006 

On Jul 11, 2006, at 9:36 AM, Roy Arends wrote:

> On Mon, 10 Jul 2006, David Ulevitch wrote:
>
>> On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
>>
>>> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>>>  Rick Wesson <wessorh at ar.com> wrote
>>>  a message of 36 lines which said:
>>>
>>>> The ORNs discussed in the papers you reference below are for the
>>>> most part ones that are open but not managed as open. ie their
>>>> managers think that they are closed but in fact are not. These [in
>>>> mass] do pose a threat.
>>>>
>>>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>>>> supposed to be open but that are.
>>>
>>> Correct but what does it change in practice. OpenDNS knows that
>>> it is open, but how does it make it less vulnerable?
>>>
>>> Do they implement rate-limiting, for instance?
>>
>> I actually thought Rick's answer was pretty much perfect.  But I'll
>> add some comments now:
>>
>> There's a lot you can do when you are running an anycasted recursive
>> nameserver to detect things happening in flash-mob style and in the
>> wild.
>> Please think about this idea for a while before responding.
>
> ORNs can be abused to victimize _others_.

I think we all know the issue with ORNs and the attacks that have  
been launched using them.  This is part of my motivation in launching  
OpenDNS.
Surely you know that.

> It is trivial to send requests to an Open Recursive Nameserver like  
> OpenDNS, with a source address of some victim.

It's also trivial to know if you've seen requests from that source  
address before.  It's also possible to know average traffic patterns  
for qname's and RDLENGTH, etc.  Actually, it's not trivial, it's  
really hard.  But it's doable.  Maybe not with BIND.  Then again,  
we're not running BIND,

We've written software that was written for our network and our  
userbase.  I'm sure there are bugs, but there are also fixes.  A  
secure DNS needs more than just a patched copy of source code, it  
needs intelligence.

> Imagine a recruited army of 50K clients, sending requests to a list of
> ORNs at a rate of 10K requests per client, all with the same spoofed
> source address asking for large responses (say the root NS set).  
> This will
> cause a steady stream of 250K traffic to a victim. This is not theory.
> This caused major incidents.

Why not look at solutions that incorporate IP rate-limiting, Prefix  
rate-limiting, RDATA response size filtering.  Tuples of TYPE, RDATA  
and SRC_ADDR that distinguish changes in normal behavior can become  
extremely effective at not just mitigating attacks but determining  
client behavior.

If you want advice on how to secure a recursive dns server, let's  
have that discussion.

In fact, I can't imagine a reason why you wouldn't use OpenDNS.  It  
does seem like the typo-correction has stirred discussion on the  
wrong path in a few forums, I think we're gonna take care of that  
one, hopefully by the end of the week. :-)

-david


>
> Roy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list