[dns-operations] Limiting DNSSEC-based amplification attacks

Gilles Massen gilles.massen at restena.lu
Tue Jun 28 12:36:20 UTC 2011

On 06/27/2011 11:30 AM, Stephane Bortzmeyer wrote:

>> It is a nameserver's job to answer all valid queries as fast as
>> possible,
> [TLD operator hat firmly on.]

<mee too>

> I strongly disagree. An important point of the class of attacks we are
> discussing (and several people seem to have mixed it with other
> classes, such as dDoS targeted toward the name server operator) is
> that the DNS operator is not the target, he is the relay. Thus, it can
> be seen as an _accomplice_ of the attacker. IMHO, the DNS operator has
> the responsability to do something.

I don't quite agree with that conclusion. First of all, if you are one
accomplice among thousands, there is no compelling reason to fiddle with
your operations, unless you expect it to make a difference. Especially
if you are a TLD. Now I wouldn't have this line of thought as an excuse
for doing nothing, but it is part of an risk/benefit consideration.

Another consideration is that by limiting answers to a specific target
you might by shutting him of from your service. Especially as a TLD
operator this looks very dangerous: it might cause more harm than help
to the victim. Obviously this also depends on your actual role (as in
packets/s) in the attack, but at the end of the day only the victim
knows what would help.

<op hat off>

And finally, on the longer term, I think it sends a wrong message,
leaping to action: the perception of the event shifts from "network
problem" to "DNS problem" because DNS is involved and could do
something. The fact that non-BCP38 ISPs are the root cause, and that DNS
is only the vector of the day gets obfuscated.


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the dns-operations mailing list