[dns-operations] correction about RRL leakage
vjs at rhyolite.com
Wed Sep 26 18:40:00 UTC 2012
> From: glen wiley <glen.wiley at gmail.com>
> This seems like a degenerate case to me...there is a threshold below which
> are no longer meaningful. For most name servers I suspect that an attack
> is only
> interesting at some rate well above 10's of qps.
The DNS RRL is less about defending a DNS server than the victims of
the server. Only small or at most modest DoS attacks on a name server
would be helped by dropping responses. One of the most effective
family of DoS attacks against a name server is explicitly not addressed
by the DNS RRL code. (There's no profit in enumerating attacks against
DNS servers themselves or flogging their details here.)
DNS RRL is mostly about mitigating DNS amplified reflection attacks
in which an attacker bounces packets off DNS servers toward the
real target and the DNS servers reflect or send many more bits
toward the real target than they receive from the attacker.
For example, a request for a DNSSEC validated A record for asdf.isc.org
from a recursive resolver sends about 14 times as many bytes (~700)
toward the supposed source than were in the original request (~50).
> As a name server operator not only am I not likely to see anything odd in
> an attack
> like that, I really don't have the time or inclination to care about
> volumes in that
My DNS servers are certainly not what I'd call busy, but I'd probably
not notice an extra 100 qps for days. However, a bad guy could send
each of 1000 DNS servers 100 41-byte queries forged from 10.2.3.4 per
second for a total of 32 Kbit/sec. Each of those requests would
normally result in about 700 to more than 2000 bytes depending on the
query. 10.2.3.4 would see 0.6 Gbps to 1.6 Gbit/sec.
A discouraging fact is that rate limiting doesn't help if the bad guy
uses a list of 100,000 or 1,000,000 servers and only 1 or 0.1 forged
query/sec. The only hope is that by the time the bad guys get smart
and ambitious enough to use millions of reflectors, BCP38 will be so
common that the sending systems can be found and quenched.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations