[dns-operations] Tracking the DNS amplification attacks (was: isprime DOS in progress)

[Paul Vixie]

> >This is all, however, treating symptoms.  The root cause would be far
> >better fixed with a named patch implementing Chris Paul's recommendation
> >to NANOG back in August:
> 
> You will then have to deal with sites that block TCP port 53.  Using
> stateful connections also requires mitigation against stateful resource
> attacks.

RFC 1035 4.2.2 is just such a stateful resource attack.  there is no way to
protect, nor any reason to depend upon, TCP/53.  the initiator of the session
("client") also initiates close, whereas the responder ("server") has a two
minute timeout.  so anyone who wants a TCP/53 responder to become unavailable
can do it with a one line perl script or a few hundred half-open connections.

the reason nominum's "switch to tcp if you get a QID mismatch" works is just
that nominum isn't popular enough to warrant writing an attack against it.  i
have only the highest respect for the programmers at nominum, but the way the
company is marketing their kaminsky solution is somewhat misleading.  a spoof
attack against a nominum cache can be transformed into a denial-of-service
attack against the containing zone of the attacked name if one cares to do so.