[dns-operations] DNS Amplification Attacks

Paul Vixie paul at vix.com
Tue Mar 21 07:17:53 UTC 2006

"sherman, set the wayback machine for one week ago, and for two weeks ago."

# Back when we shut down open relay mail servers to address the spam problem
# we ignored the spoofing issue, with mail it was spoofing the FROM: address.

with RFC821/RFC822 it was spoofing the SMTP HELO, SMTP MAIL FROM, header
"From:", header "To:", header "Cc:", and header "Received:".  but, yes.

# Because we ignored that, today we have no open relay servers yet we still
# have spam, phishing, joe-jobs, email virus, etc

and yet, i can blackhole the transmission point of any spam i receive, with
very little risk (as a percentage overall) of it being a false-positive.  if
we hadn't demanded that the open relays become closed, this useful and nec'y
tactic would not have been possible, and without this useful and nec'y 
technique, actual spam sources (not merely convenience-relays or accidental
relays) would not stand out like beacons in the night.  

please do not go on believing that the closing down of open smtp relays has
been ineffective.  you might be receiving as much spam as ever, and we know
that as much (or more, depending on day-of-week) spam is sent as ever, but i
know that the spam problem is MUCH more manageable than it would have been
had we left all those relays open.

# because we did not address the anonymous aspect of spoofing the FROM
# address. That actually would have been a very difficult thing to fix without
# reworking smtp but we are no in the process of doing exactly that in order
# to address these other anonymous source problems.

here's where your analogy breaks down.  spam does not require spoofed sources,
and because domains are cheaper and more virtual than IP addresses, it was
always possible for a spammer to burn through a thousand valid domain names
per day, even if active source checking (a la AOL) is enabled to ensure that
the purported source addresses are all deliverable.  so, let's once and for
all stop comparing this to spam and smtp.  TCP and UDP each offer their own
constraints on IP address spoofability.

# We have the same thing now with the dns flooding issue, we have open
# recursive servers and we have a spoofing aspect which is really what makes
# this such an attractive attack vector. The amplification aspect is a nice
# feature for an attack vector but lets face it, if you have a 20,000 bot
# network you don't really need it. However being able to use that network
# without exposing the bots (spoofed traffic is such a bear to track) well
# that's the draw.

i've tried to make the point, in my press contacts over recent weeks, that
EDNS is just a fad, as is open recursion, as is DNS itself.  this kind of
attack is trivial to launch using reflection, without any kind of
amplification, but if amplification is desired, DNS (non-EDNS) authority
servers are also willing to do it, as are NTP and SNTP servers.  if one is
willing to forego amplification because a 20K botnet can be had for 50 USD
or built out of raw materials in a day or two, one could just use ICMP for
the bombardment.

treating these not-very-new attacks as a problem with EDNS or open recursion
when there are other uncloseable vectors available is just silly.  closing
DNS recursion without dealing with the amplification available from non-EDNS
authority DNS servers is still.  doing anything about DNS without doing 
something about NTP and ICMP is just silly.  in fact, doing anything other
than deploying BCP38 is just silly, since it moves the problem without
actually trying to solve it.

however, it's a silly world.  in this silly world, there is no way that the
non-BCP38 networks who are at the root of the problem will ever feel any of
the pain they cause.  since they're mostly in bankruptcy or just coming out
of bankruptcy or trying to sell in a thin-margin commodity field where they
are barely profitable or perhaps unprofitable... it's hard to ask them to
spend money on the software upgrades, hardware upgrades, policy and procedure
and training upgrades that would make BCP38 achievable for them.  "i know
you aren't making money and have cut your staff way below minimum levels,
but i want you to spend capital and expense solving a problem that's only
being experienced by your competitors."  not an easy sell.

shunning them, RBL-style, isn't an option.  oh, sure, one could blackhole a
non-BCP38 network, but that would just help you reject the packets coming from
them that ARE NOT spoofed.  not very helpful.  hard to explain to the TRO
judge, too, whom you will surely meet if your shunning activities are
economically painful to the non-BCP38 network.  but the greatest likelihood is
that the non-BCP38 network is so large that you can't afford to shun them,
and you can bet that their owners and operators know that and depend on that.

and, to complete today's rehash of last week's and the week's before thread:

# ... closing down open recursive servers isn't going to be a piece of cake
# either and it's not going to solve the problem of dns flooding although it
# will remove this one vector.

it's not going to do any good in the long run, but it's an effective short
term fix and will make it lots easier to manage and categorize the surviving
DNS traffic.  and more importantly, the people who are feeling this pain are
going to implement this for themselves no matter whether it solves any long
term problems.  you can wish for a better world, the gods know i do too, but
in the world as it is, open recursion is going to be gone in a year or two,
no matter how we feel or what we say.  we need to start "getting over it."

# It will still be possible to use a bot network to flood from the recursive
# servers those bots are allowed to use, it will still be possible to use
# spoofed UDP to infect thousands of machines (sqlslammer is an example), it
# will still be possible to control bots via spoofed UDP commands, the
# anonymous aspect will remain and the focus on BCP38 will be diminished
# because closing open recursive will be what the media picks up.

yes.  but the flows will be easier to categorize, measure, and manage.  that
and the fact that it'll provide a few weeks of respite while the attackers
re-tool, is what makes it inevitable that it will be done, no matter how we
feel or what we say.  that's the world as it is and will be, not as we might
wish or as it should be.  we need to start "getting over it."

# Neither solution is perfect but one will make the attackers easier to find
# while the other will take 1 toy away from them.

no.  either will make the attackers easier to find, one takes a toy away.

More information about the dns-operations mailing list