[dns-operations] on amplification, udp, and dns

[Daniel Karrenberg]

On 23.03 13:01, Edward Lewis wrote:
> Sometimes it seems to me that the only way to prevent DNS's use of 
> UDP as a tool for amplification is to require that queries be almost 
> as big, or perhaps even bigger than, responses.
> 
> Closing down open recursive servers only shuts down one amplification 
> path, but one that today is significant because the number of open 
> resolvers out there is much larger than the number of authoritative 
> servers with large data sets.
> 
> But if DNSSEC (a desirable thing to quite a few folks) gets to 
> widespread deployment, then there will be many authoritative servers 
> that will be available for amplification services.  What a dilemma, 
> improving the security of DNS makes DNS a more valuable tool for DDoS.
> 
> EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and 
> then NATPR record in ENUM.  But then again, this improvement 
> facilitates amplification.
> 
> This does not make me happy.

The only path with real leverage is to prevent source address spoofing. 
Many have argued that there is little leverage to convince ISPs and 
I agree.  What I will try to do in the RIPE region is to increase the
force applied on that leverage by raising awareness among ISPs,
providing information on how to implement and apply some peer pressure. 
I do not subscribe to the view that egde ingress filtering only helps if
applied absolutely universally.  Every little bit helps.  My hope is
that at some point the number of die-hards will be small enough that
they stick out. 

"Es gibt nichts Gutes ausser man tut es." - Erich Kaestner

Daniel