[dns-operations] DoS with amplification: yet another funny Unix script

Tony Finch dot at dotat.at
Wed Sep 12 11:08:34 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> > The tuple <mask(IP), imputed(NAME), errorstatus> is used to select a
> > state blob. In the amplification attacks on our authoritative servers we
> > see only valid requests without duplication, [...]
> > Thus, it may take some time until the attacker starts with domain1.com
> > again. If I understand the Responder Behavior correct, this would mean
> > that filtering is never triggered if a domain is not queried
> > RESPONSES-PER-SECOND times per second. Or do I miss something here?
> I'm not sure I understand.  If that points out that an attack that is
> too diffuse to be noticed by the BIND RRL code might be noticed by a
> firewall rule, then I agree.  I'd also say that can be seen as a feature
> instead of a defect, because during less diffuse attacks, legitimate
> requests from the forged CIDR block will still be answered.

I don't think "diffuse" is the right word - this kind of attack can be
very intense. If you have a large domain signed with NSEC it's trivial for
an attacker to enumerate the domain, and RRL will not treat this as an
attack. Or of you are a large scale DNS hosting provider the attacker can
get a list of domains you host from copies of TLD zones. Having got a list
of names, the attacker can then reflect lots of traffic via your server
which will be treated as OK by RRL.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list