[dns-operations] DNS ANY record queries - Reflection Attacks

Matthew Pounsett matt at conundrum.com
Thu Sep 13 00:15:01 UTC 2012

On 2012/09/12, at 15:44, Eric Osterweil wrote:

> OK, this is beginning to become clearer... But I have to admit, this still seems worrisome to me.  If you drop 50% of legit traffic (a generous assumption as it assumes a uniform distribution, which is not established by any of the analysis I have seen), and the other 50% (that you service as TC-bit mini-responses) comes back to you as TCP.  Thus, you have taken your own processing requirements way up (as your clients will now all hit you over TCP instead of UDP).

Are you perhaps thinking that when rate limiting gets applied, it is applied uniformly to all queries from a particular source address?  It isn't, as I understand it.  Rate limiting is applied by response .. a well behaved client isn't going to be sending hundreds of queries for the same information, let alone thousands.  If the one query every TTL that it sends is truncated, it will resend via TCP, and that will be okay.

when a real client is sending periodic legitimate queries, while a spoofed source is sending thousands of queries per second for 
whatever query they happen to be using as an attack, the real client will only be rate limited if it happens to query for the same data that the attacker is querying for, and a single TCP query is all it will take to get around the rate limiting.

I'm unable to see where the potential is for high (or even measurable) false positive rates.

More information about the dns-operations mailing list