[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
dmiller at tiggee.com
Fri Jun 24 21:20:41 UTC 2011
On 6/24/2011 4:28 PM, David Conrad wrote:
> On Jun 24, 2011, at 8:42 AM, David Miller wrote:
>> However, for rate based attacks against DNS itself, with IPv4 you could see up to ~3 billion possible "valid" (but not really) source addresses... with IPv6... forgetaboutit... The same mechanisms must protect DNS servers against both simultaneously.
> Hmm. I'm not sure I see why a rate limiter would need to keep track of all IP addresses. Wouldn't you only need to keep track of the addresses you responded to during the rate limit period?
Absolutely, typical state tracking would only keep track of the sources
of queries that you received. However, good source address
randomization on the part of an attacker will make every "attack query"
you receive be sourced from a different address.
Take the max qps that you can accept multiplied by your rate limit
period in seconds and that is the number of state entries that you will
need to maintain. Also, keep in mind that DNS requests are *tiny*,
which means that a whole lot of them will fit down your pipes.
As a comparison, routers use special fast memory and ASICs to handle the
routing of packets for a routing table which for IPv4 is currently
> Anyhow, the point is that rate limiting can be helpful in reducing the threat of (some of the) amplification attacks. What's the alternative?
This is indeed the question. A question to which I don't believe we
have a satisfactory answer in current tech - beyond the sledgehammer
tactic of "go big, or go home".
More information about the dns-operations