[dns-operations] on amplification, udp, and dns
paul at vix.com
Thu Mar 23 20:51:03 UTC 2006
# > > EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and
# > > then NATPR record in ENUM. But then again, this improvement
# > > facilitates amplification.
# I really read Ed's message as a warning to get BCP 38 almost
# universally deployed before we get wide spread use of DNSSEC / ENUM or
# otherwise the problem will reappear with authoritative servers.
some (including gadi, see the archives) have argued that we should've got
BCP38 universally deployed before encouraging wide use of EDNS0. there's
some trouble with the disparite bindings of the two uses of the word "we"
up there. but anyway, i don't agree with either statement.
80-for-1 amplification is nice. very convenient for attackers. it means
they can launch their spoofed-source query stream from fewer points or at
lower traffic levels, thus decreasing their visibility while launching.
however, "dig www.google.com @ns1.google.com" or the similar query through
yahoo, aol, or indeed most domains in .COM, yields about a 5-for-1 amp ratio,
which is QUITE usable for attacks -- much better than 1-for-1 as with
smurfless ICMP, for example.
crafting the perfect attack that relies only on authority servers (which must
remain non-ACL'd) and sends few enough queries per nameserver that it's never
rate-limited and that uses 100K authority name servers to spread the love,
is left as an exercise for the reader. note: EDNS0 or open recursion is
not required, and proposals including them will have points taken off.
(also note: a BGP-oriented blackhole list containing known attack vectors
for spoofed-source DDoS could safely list authority servers, as long as
they aren't mixed-mode ("also recursive servers"). what a great tie-in!)
More information about the dns-operations