[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Hauke Lampe lampe at hauke-lampe.de
Fri Jun 24 15:27:45 UTC 2011

On 22.06.2011 16:27, Stephane Bortzmeyer wrote:

> I had the feeling that Roland Dobbins was suggesting to filter on the
> relay (the authoritative name server). This is certainly what I was
> asking for: mitigation techniques, not for the victim, but for me, the
> potential relay.

I don't think authoritative servers can do much against amplification
attacks, except maybe not answering to queries for unknown zones instead
of refusing it.

It is a nameserver's job to answer all valid queries as fast as
possible, filling as much of the client's advertised buffer size as
necessary. (That's my opinion, YMMV.)

To make any difference, the attacker's queries must be blocked at all
nameservers for a given zone, often operated by a number of different
parties. From my PoV, the risk of crippling my own service through
mis-communicated filtering requirements outweighs the gain of increasing
the difficulty for an attacker to get decent leverage from my DNS zones
against an anonymous target somewhere on the internet.

FWIW, on my tiny island of the networks, obvious amplification attacks
using authoritative relays are rare and almost all of them use the
easily blocked pattern ". IN NS". So far, nobody took the time to tune
their DoS tools to one of our domains[1].

This week, a new type came up at our open resolvers (serving mobile
Unbound clients with low query load, so any significant abuse is easily
spotted). The new pattern asks for "se. ANY ANY" and is also easy to
block because of the uncommong qtype/qname combination.

I block these frequent attempts with iptables u32 matches without ill
effects so far.


[1] we do have some heavyweights, though:
dig +dnssec +ignore +bufsize=16384 +norec attraktor.org any
;; MSG SIZE  rcvd: 7792

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110624/6a8065ad/attachment.sig>

More information about the dns-operations mailing list