[dns-operations] DoS with amplification: yet another funny Unix script

Vernon Schryver vjs at rhyolite.com
Wed Sep 12 13:47:01 UTC 2012 

> From: Tony Finch <dot at dotat.at>

> I don't think "diffuse" is the right word - this kind of attack can be
> very intense. 

agreed, it's only diffused among qnames and qtypes.

>               If you have a large domain signed with NSEC it's trivial for
> an attacker to enumerate the domain, and RRL will not treat this as an
> attack. Or of you are a large scale DNS hosting provider the attacker can
> get a list of domains you host from copies of TLD zones. Having got a list
> of names, the attacker can then reflect lots of traffic via your server
> which will be treated as OK by RRL.

It would be easy to change the RRL patch to have yet another optional
rate limit counting all non-error responses to an IP address block
if they were the same.

It would have some negative aspects:

  1. Under that kind of attack, the TC=1 "slipping" is worse than useless,
    and so it would not trigger the TC=1 responses.

  2. Targets of the reflection attack would get no DNS service at all
    unless they magically know to switch to TCP.

  3. One can argue that this kind of defense belongs in a firewall
    that understands nothing about DNS except rate limiting based
    on source IP address and destination port 53.

  4. It would double the memory spent on counting responses.
    The amount of memory required to count responses on very busy
    (10K or 100K qps) DNS servers has always been a concern.
    It is why the RRL patch saves a 4-byte hash of the qname instead
    using a 256 byte block (or worse, dynamically allocating space
    for each qname).  However, it's only a factor of 2.

I use the argument of #3 to respond to observations about the high
costs of DNS/TCP and objections to TC=1 slipping.  At sufficiently
high rates, a DNS/TCP DoS attack looks like TCP SYN flooding.  TCP SYN
flooding is commonly handled without bothering the application and
without allocating or timing-out a TCB in the either kernel or a
firewall.


Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list