[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Olafur Gudmundsson ogud at ogud.com
Thu Sep 27 16:23:12 UTC 2012 

While reading the many postings on how to "slow down" reflection attacks 
from DNS responders (i.e.  authoritative, recursive and forwarding 
servers).

I noticed a few comments of the kind "by doing X you make Y possible" or 
"by doing Z you hurt innocent W" .
Usually when this happens in a debate that reflects a partial/non-shared 
understanding of the problem.

Below is a draft list of different kinds of DoS attacks using DNS that 
have been mentioned and implementers should be aware of so we can have a 
civilized productive discussion.

a) Traffic Reflection attack: in this case attacker hides his attack by 
forging the source address to be in the address
range of the victim, the intent is to flood the victim's pipes to the 
extent that no useful traffic gets through.
There are many variants of this attack and most of the time DNS is only 
used because it is a good traffic amplifier
and/or reflector.

b) DNS responder resource starvation:  in this attack the actual target 
severs are flooded with traffic to the extent they can not keep up or 
the network links get overwhelmed. This may use both forged and non 
forged messages.

c) DNS Reputation attack: in this case forged traffic is used to trick a 
"traffic cop" to mark a good DNS entity BAD,  thus have legitimate 
traffic from the victim throttled/blocked.

(probably more)

Unfortunately by trying to mitigate a) and/or b) we are making c) more 
plausible thus any defensive mechanism must take that into account.

Having said this in general I think having more than one defensive 
mechanism is a good thing thus we should be encouraging debate about 
different solutions/techniques and how to improve them.

Similarly we should think about approaches that operators/implementors 
can take to limit their vulnerability
i.e. prove they are good players with a traffic pattern that looks 
suspicious.

An example in of possible policy: (not advocating without more evidence 
and research)
     If a traffic reducer turns on TC bit in its responses, then if no 
TCP connection is completed during the next N seconds,
the reducer can go to full drop mode.

     Olafur




     Olafur

More information about the dns-operations mailing list