[dns-operations] DNS ANY record queries - Reflection Attacks

Vernon Schryver vjs at rhyolite.com
Tue Sep 11 15:29:33 UTC 2012

> From: Eric Osterweil <eosterweil at verisign.com>

> So, can I just make sure I understand the RRL idea?  If, under
> non-attack circumstances, I get a traffic rate of `r' from a given
> subnet, but an amplification attack sends me `99*r' (causing a total
> traffic rate of `100*r'), then I should rate limit?  So, my back of
> the envelope calculation says that I will reward the attack traffic
> over the non-attack traffic.  That is, if I limit the response rate
> back down to `r', then I will drop 99/100 responses to reach that
> target.  My legitimate client (subnet) has only about a 1/100 chance
> of getting each query answered here (all other response slots are given
> to my adversary)...

That computation might be correct if DNS clients did not retransmit,
if the BIND RRL idea involved only discarding responses,
and if Paul and I proposed dropping 99% of all traffic for a CIDR block.
We advocate none of that.

We propose dropping only identical responses to a given CIDR block
instead of all responses.

The BIND RRL code has a notion of "slip" or responding while rate
limiting with TC=1.  It has a default slip rate of 2, or responding
with TC=1 instead of dropping every other identical response.

A DNS client that retransmits N times to a DNS server that answers
50% with TC=1 of the time will get an answer to 1-(0.5)^N of its
queries.  For N=4, it will get a TC=1 answer 94% of the time.

>                     I think rate limiting is kind of the wrong direction.
> Did I misunderstand some aspect?

What do you think would be the right direction?  Doing nothing is
not acceptable.

We think that rate limiting is only a work around for the failure
of the responsible parties to implement BCP 38 or other effective
mechanisms to stop the abuse the transmit on behalf of their users.
In the distant future we hope it won't be needed.

> Also, when you say, ``shockingly effective,'' how can we measure
> effectiveness, in order to verify the approach?

One way to measure the effectiveness of a defense is to compare the
work the bad guy must do with the benefit to the bad guy.  In this
case, rate limiting at 10 identical repsonses and using the default
{slip 2;} means that in common scenarios, the amplification is less
than 1.  The bad guy gets less result from a reflection DoS attack
than a direct DoS attack.  Under the circumstances, I think that
is effective.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list