[dns-operations] First experiments with DNS dampening to fight amplification attacks

Vernon Schryver vjs at rhyolite.com
Fri Sep 28 15:59:46 UTC 2012


> From: =?ISO-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wander at uni-due.de>

> > Hmmm for authoritative servers, we might also emit a CNAME "challenge".=

> > We could encode the encrypt the correct destination in the CNAME, for A=
>  and
> > AAAA this is trivial. If you come back to resolve
> > encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc.

> There has been recently a patent granted with this method:
> http://www.freepatentsonline.com/8261351.html
>
> Though they don't use it do decide about blocking,

Is that because converting a reflected flood of DNSSEC signed
responses to a reflected flood of DNSSEC signed challenge CNAMEs
is not an impressive defense for DNS reflection attacks?

Never mind that packet losses during an attack can increase and so
doubling the number of packets that must succeed for a legitimate
DNS/UDP transaction is unlikely to be helpful.


>                                                    but use the CNAME
> challenge on every query, still providing a small amplification. This
> comes at the risk of running into resolver issues with NS or MX records..=

and resolver CPU loads for DNSSEC signatures for all of those
synthetic challenge CNAMES during an attack.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list