[dns-operations] DNS Amplification Attacks

Geo. geoincidents at nls.net
Wed Mar 22 01:35:28 UTC 2006


Sorry for the length but replied to multiple comments all in one post.

<Paul>
> treating these not-very-new attacks as a problem with EDNS or open
recursion
> when there are other uncloseable vectors available is just silly.

That's not at all what I was saying. What I was saying is that it is the
spoofing aspect of this vector that makes it more desirable than others
types of attacks. In the hacker world, anonymous attacks rule. The best we
can hope is to make unclosable vectors undesirable.

> however, it's a silly world.  in this silly world, there is no way that
the
> non-BCP38 networks who are at the root of the problem will ever feel any
of
> the pain they cause.

Why, because we don't have a good way to test them? Ok how about this. Put
up a website amispoofproof.com and create an executable (I don't think it
can be done in java) that spoofs a UDP packet back to the source with the
actual IP as the data in the packet as a way to have users test their ISP to
see if they are spoofproof or not? The site logs the data so it can be used
to tell what AS's are and aren't BCP38. The big websites are quite
vulnerable to these attacks so perhaps a few of them would be willing to
help raise awareness of this test site and help make the public aware that
this is a security issue. Let the netizens test the net for you. W2K and
Linux clients should be easy since they have raw sockets and we can have
Steve "who needs raw sockets" Gibson code up one for XP.

Make BCP38 a security issue in the eyes of the public and giving the public
the tools to test their ISP themselves. Tickle the non compliant ISP in a
very soft spot, their marketing departments. Security is a checkbox item
nowadays remember? We don't have to blacklist or do anything that might
inconvience the public, all we have to do is make some noise. Once most of
the net is done then we can take on a blacklist strategy for the remainder.


> since they're mostly in bankruptcy or just coming out
> of bankruptcy or trying to sell in a thin-margin commodity field where
they
> are barely profitable or perhaps unprofitable... it's hard to ask them to
> spend money on the software upgrades, hardware upgrades, policy and
procedure
> and training upgrades that would make BCP38 achievable for them.

And yet it's perfectly acceptable to force them to lock down every open
recursive server at every pop and play whack-a-mole with  the daily flood of
new customer run open recursive servers and to retrain the support
department in how to track down dns issues since they aren't local to the
customers dns server, in a 5 year mission to go where no one has gone
before?

I'm an ISP and I don't find that more acceptable than BCP38. Granted I'm not
UUnet but I think I've got a feel for what's involved in each.

> shunning them, RBL-style, isn't an option.  oh, sure, one could blackhole
a
> non-BCP38 network,

I'm a little confused then, how do you force closing of open recursive if
not by blocking them?

<Ondrej>
> I just don't understand why you are so against shutting down open
> recursors,

1) it is a valuable function of the internet that allows me to use my own
dns servers instead of having to trust whoever runs the access point I am
currently using (wired or wireless), he who controls your dns servers
controls you. As wireless becomes more and more popular and devices more and
more mobile this will become a big security concern.

2) It will create a powerful control mechanism that will make it easier to
control information on the net. You know how difficult it is to send email
from some places today without using their server and playing by their
rules, picture that with DNS.

3) It will be MORE costly to ISPs than closing open relay was because of the
whack-a-mole nature of it and because partial dns blocking will affect far
more than just email and manifest itself as symptoms that are very difficult
to diagnose.

4) There are 2 pieces required to make the current flood attack work and we
are already trying to remove one of them, splitting our efforts will make it
take longer to reach that first bcp38 goal which is an important goal.

5) no matter what we do, until the major dns authors change the default
installs to not be open recursive, the problem is going to remain major. MS
isn't going to change Vista at this point so I'm guessing we are probably
4-5 years away from that.

<JP Velders>
>What fine alcoholic or intoxicating substance are you on ?

It's called a Mountain Dew, not that code red hacker crap, this is the
original industrial strength stuff that doesn't even change color when it
goes thru you. <g>

> Botnets a plenty around the world, and implementing BCP38 won't make
> the problem of open-recursers go away or become less manageable.

Every Bot on a Botnet will have at least 2 recursive servers they are
allowed to use, locking them down will not change that. A 20,000 bot network
will have 40,000 dns servers to flood you with even after recursion is
locked down.

> If spoofing was that much of a problem (when viewed in this smaller
> context!), then I'd really like to know why -being a member of an NREN
> security team- we're not burried in complaints about issues which turn
> out to be spoofing of UDP packets.

If spoofing isn't a problem why is BCP38 a goal? Because it isn't limited to
just this smaller context. It's a pretty major problem, sqlslammer, smurf,
this dns flooding, switch crashing, MitM attacks, dns cache poisoning,
pretty much anything UDP (Paul mentioned NTP although I'm unfamiliar with
that abuse) can be abused via spoofing, the list goes on. The need to lock
down open recursive becomes insignificant if spoofing is gone and a lot of
other issues go away completely.

> etc. All basic and good practices, being core competence issues, just
> like having good financial information.

Exactly, and if we make some tools so the public can test their ISP's
perhaps we can generate a bit more awareness and make other network segments
a bit more sensitive thus accelerating BCP38 compliance. If we can get the
big onramps to do BCP38 it will be a lot more difficult to get bots in a
segment where you can spoof from and this attack will lose a lot of it's
appeal without the whole internet being spoofproof.

Geo.




More information about the dns-operations mailing list