[dns-operations] DNS ANY record queries - Reflection Attacks

Tue Sep 11 15:35:44 UTC 2012

At least for single to a few domains, authoritative DNS servers, maybe
the "better approach" would be what a previous poster said they were
implementing: "Identifying the anomalies", if it could be fully
automated?

My assumption being that each public facing DNS server would be seeing
some sort of "normal" traffic pattern, that it could recognize as
such. How true is that though? and what would be the exact minimum
information one needs to track to identify anomalies?

Thanks,
Mohamed.

On Tue, Sep 11, 2012 at 10:21 AM, Eric Osterweil
<eosterweil at verisign.com> wrote:
>
> On Sep 11, 2012, at 1:40 AM, Paul Vixie wrote:
>
>> On 2012-09-11 5:36 AM, Mohamed Lrhazi wrote:
>>> Nope. I have not, and am not using BIND unfortunately. But I guess you
>>> are saying: Limit responses to any client to some number per some time
>>> window.
>>>
>>> What would be an appropriate number, per what time window, to be
>>> effective and lesser the chances of false positives?
>>
>> the defaults are round numbers (10 similar responses per second per v4
>> /24 or v6 /56, keep history for five seconds) and are shockingly
>> effective. Important Note: it's not responses per client, but rather,
>> responses per client network per response type, that must be limited.
>> you can't do the right thing in a firewall or other in-path device, you
>> get too many false negatives and false positives that way. the proposed
>> response is how you bucketize safely.
>>
>> i'll be happy to describe DNS RRL to your non-BIND implementor if they
>> want to know more about it. it's totally open, both the concept and the
>> implementation in C for BIND are BSD-licensed.
>
>
> Hey all, I think it's great that we are rallying (as a community) to find ways to address these DNS-based DDoS attacks, but I'm a little worried about this specific way we are proposing to do it.  That is, I think I either don't understand RRL, or I _do_ understand it, and worry about the correctness of the overall approach.
>
> So, can I just make sure I understand the RRL idea?  If, under non-attack circumstances, I get a traffic rate of `r' from a given subnet, but an amplification attack sends me `99*r' (causing a total traffic rate of `100*r'), then I should rate limit?  So, my back of the envelope calculation says that I will reward the attack traffic over the non-attack traffic.  That is, if I limit the response rate back down to `r', then I will drop 99/100 responses to reach that target.  My legitimate client (subnet) has only about a 1/100 chance of getting each query answered here (all other response slots are given to my adversary)... I think rate limiting is kind of the wrong direction.  Did I misunderstand some aspect?
>
> Also, when you say, ``shockingly effective,'' how can we measure effectiveness, in order to verify the approach?
>
> Thanks,
>
> Eric
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs