[dns-operations] Bailiwick stats? Idea for mitigation...

Brian Dickson briand at ca.afilias.info
Sun Aug 10 03:46:42 UTC 2008

brett watson wrote:
> On Aug 9, 2008, at 4:02 PM, Brian Dickson wrote:
>> Thinking along the lines of things that rdns servers can do 
>> unilaterally to improve forgery resilience...
>> Do we know what typical percentage of queries a rdns box is likely to 
>> receive, of sub-domains of in-cache domains (which are not themselves 
>> cached), versus all other queries?
>> What I'm thinking is, when such a query is seen, even without 
>> checking TXID/QID mismatches, just always require two identical 
>> answers at each (external, non-cached) step of the recursive 
>> resolution process, using UDP.
>> With randomized ports per query, this effectively doubles the number 
>> of entropy bits, albeit at a performance hit of 2x, but only for 
>> those non-cached domains underneath cached domains.
> But what happens when the attackers start launching large scale 
> dictionary attacks (ie. NXDOMAIN answers, non-cached)... the 2x factor 
> gets pretty ugly?

It very much depends on who is attacking, and what their objective is.

If the attacker wants to poison a specific domain, the birthday attack 
requires that the relative rates are: spoofed answers >> triggering queries.
However, in that case, the 2x applies to the rate of triggering queries, 
and so is likely to not be significant.

OTOH, it does create a minor DOS multiplier, reducing by half the 
capacity needed to DOS a resolver. Rate limiting may be sufficient, 
since that is still on the query side, and won't affect resolution 
success per se.

There is a second-order effect, however. The attackers may not care who 
specifically their victims are - in which case deploying such a patch 
would be a significant deterrent so long as there are unpatched systems 
out there.

You don't have to outrun the bear, you only have to outrun your friends. :-)


More information about the dns-operations mailing list