[dns-operations] Bailiwick stats? Idea for mitigation...
Brian Dickson
briand at ca.afilias.info
Sun Aug 10 03:46:42 UTC 2008
brett watson wrote:
>
> On Aug 9, 2008, at 4:02 PM, Brian Dickson wrote:
>
>> Thinking along the lines of things that rdns servers can do
>> unilaterally to improve forgery resilience...
>>
>> Do we know what typical percentage of queries a rdns box is likely to
>> receive, of sub-domains of in-cache domains (which are not themselves
>> cached), versus all other queries?
>>
>> What I'm thinking is, when such a query is seen, even without
>> checking TXID/QID mismatches, just always require two identical
>> answers at each (external, non-cached) step of the recursive
>> resolution process, using UDP.
>>
>> With randomized ports per query, this effectively doubles the number
>> of entropy bits, albeit at a performance hit of 2x, but only for
>> those non-cached domains underneath cached domains.
>
> But what happens when the attackers start launching large scale
> dictionary attacks (ie. NXDOMAIN answers, non-cached)... the 2x factor
> gets pretty ugly?
>
It very much depends on who is attacking, and what their objective is.
If the attacker wants to poison a specific domain, the birthday attack
requires that the relative rates are: spoofed answers >> triggering queries.
However, in that case, the 2x applies to the rate of triggering queries,
and so is likely to not be significant.
OTOH, it does create a minor DOS multiplier, reducing by half the
capacity needed to DOS a resolver. Rate limiting may be sufficient,
since that is still on the query side, and won't affect resolution
success per se.
There is a second-order effect, however. The attackers may not care who
specifically their victims are - in which case deploying such a patch
would be a significant deterrent so long as there are unpatched systems
out there.
You don't have to outrun the bear, you only have to outrun your friends. :-)
Brian
More information about the dns-operations
mailing list