[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dan Luedtke mail at danrl.de
Fri Sep 28 07:17:42 UTC 2012

Hi everyone,

I recently read about Lutz' attempt to implement dampening in bind. Some
people pointed at the flaws and possible DoS of dampening. I'd like to
contribute to the discussion. 

Lutz wanted to be as compatible with current DNS as possible, and
therefore he introduced no new protocols or other techniques. I like
this very much, but let me allow to think of an _optional_ addition at
protocol-level (read: misusing TXT records once again).

At first all works the same as Lutz suggested. Then we reach the point
when a legitimate address gets blocked.
One part of the problem is, that spoofed addresses won't lead back to
where their packets came from. If we are able to detect a packet going
the wrong way, we can be sure the previous blocking was OK and continue
to block. Otherwise we have to remove the address (or even whitelist it
for a while), because we are blocking legitimate queries.

When an IP address is blocked, we still answer to it, but only once[1].
Regardless of what the query is, we answer:

	TXT "temporary_blocked <challenge_1> <challenge_2>"

The legitimate packet will travel to the destination resolver, the
resolver XORs (or any other kind of magic happens) the two challenges
and queries again:

	AAAA <XOR-result>.removal-request.whatever.arpa

Then we remove the address, because it proofed to be able to traverse
the net as supposed. Even better: Use DNS-Cookies once the IP has so
many bad points that it will be block soon.[2]

Thus we can dampening DNS-amplifying attacks but still provide a method
for legitimate servers to remove themselfs from the blocklist once they
are on it.

challenge_1 and challenge_2 may be computed by a private key and the
blocked IP address, so similar to SYN-Cookies we don't have to allocate
memory for it. Private Key must be the same on all Anycast instances :/

Please review this and make suggestions.

I am working on another idea regarding IPv6, something I call
gradient-prefix-blocking for the moment, but I haven't done the math
yet. It may explode in memory.



[1] Maybe more, e.g. three times, but then we have to allocate memory
for the counter then.
[2] http://www.ietf.org/proceedings/67/slides/dnsext-0/dnsext-0.ppt

PS: I wasn't able to hijack the thread because I did not find the
correct message-id on gmane and other archives. Sorry!
Dan Luedtke

More information about the dns-operations mailing list