paul at vix.com
Wed Mar 1 04:45:21 UTC 2006
randy vaughn asked:
# Paul, Would disabling EDNS0 be of any use?
no. or rather, where? there are three dns protocol agents involved here:
the attacker: uses edns0 signalling on requests spoofed-as(victim)
the amplifer: open recursive server responding to spoofed queries
the victim: receives many large (maybe fragmented) unsolicited responses
let's go through them one at a time, noting that there's no way to filter
EDNS0 in the core and that filtering it in edge firewalls is equivilent,
in terms of administrative domains, to not using it in the protocol agent
behind a given firewall.
i think it's safe to say that we can't get the attacker to stop using EDNS0.
by the time the victim has received the attack, the presence of EDNS0 is moot
since the congestion-event (full pipes upstream of you) has already occurred.
if we could get the amplifier to do anything at all, the thing we'd ask for
is a local ACL (to stop responding to off-net recursive queries) rather than
turning off EDNS0 (which would make it harder for them to eventually deploy
IPv6 or DNSSEC or fulfill other goals for which RFC 2671 was written.)
More information about the dns-operations