[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?
ogud at ogud.com
Thu Sep 27 16:23:12 UTC 2012
While reading the many postings on how to "slow down" reflection attacks
from DNS responders (i.e. authoritative, recursive and forwarding
I noticed a few comments of the kind "by doing X you make Y possible" or
"by doing Z you hurt innocent W" .
Usually when this happens in a debate that reflects a partial/non-shared
understanding of the problem.
Below is a draft list of different kinds of DoS attacks using DNS that
have been mentioned and implementers should be aware of so we can have a
civilized productive discussion.
a) Traffic Reflection attack: in this case attacker hides his attack by
forging the source address to be in the address
range of the victim, the intent is to flood the victim's pipes to the
extent that no useful traffic gets through.
There are many variants of this attack and most of the time DNS is only
used because it is a good traffic amplifier
b) DNS responder resource starvation: in this attack the actual target
severs are flooded with traffic to the extent they can not keep up or
the network links get overwhelmed. This may use both forged and non
c) DNS Reputation attack: in this case forged traffic is used to trick a
"traffic cop" to mark a good DNS entity BAD, thus have legitimate
traffic from the victim throttled/blocked.
Unfortunately by trying to mitigate a) and/or b) we are making c) more
plausible thus any defensive mechanism must take that into account.
Having said this in general I think having more than one defensive
mechanism is a good thing thus we should be encouraging debate about
different solutions/techniques and how to improve them.
Similarly we should think about approaches that operators/implementors
can take to limit their vulnerability
i.e. prove they are good players with a traffic pattern that looks
An example in of possible policy: (not advocating without more evidence
If a traffic reducer turns on TC bit in its responses, then if no
TCP connection is completed during the next N seconds,
the reducer can go to full drop mode.
More information about the dns-operations