[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

[David Miller]

On 6/24/2011 4:28 PM, David Conrad wrote:
> David,
>
> On Jun 24, 2011, at 8:42 AM, David Miller wrote:
>> However, for rate based attacks against DNS itself, with IPv4 you could see up to ~3 billion possible "valid" (but not really) source addresses... with IPv6... forgetaboutit...  The same mechanisms must protect DNS servers against both simultaneously.
> Hmm.  I'm not sure I see why a rate limiter would need to keep track of all IP addresses.  Wouldn't you only need to keep track of the addresses you responded to during the rate limit period?

Absolutely, typical state tracking would only keep track of the sources 
of queries that you received.  However, good source address 
randomization on the part of an attacker will make every "attack query" 
you receive be sourced from a different address.

Take the max qps that you can accept multiplied by your rate limit 
period in seconds and that is the number of state entries that you will 
need to maintain.  Also, keep in mind that DNS requests are *tiny*, 
which means that a whole lot of them will fit down your pipes.

As a comparison, routers use special fast memory and ASICs to handle the 
routing of packets for a routing table which for IPv4 is currently 
~360,000 prefixes.

> Anyhow, the point is that rate limiting can be helpful in reducing the threat of (some of the) amplification attacks. What's the alternative?
>

This is indeed the question.  A question to which I don't believe we 
have a satisfactory answer in current tech - beyond the sledgehammer 
tactic of "go big, or go home".

-DMM