[dns-operations] responding to spoofed ANY queries

Mark Andrews marka at isc.org
Thu Jan 10 20:59:00 UTC 2013 

In message <FBDEA1F1-C2EA-49BD-BC4B-227B997B8001 at rfc1035.com>, Jim Reid writes:
> On 10 Jan 2013, at 17:39, Matthew Ghali <mghali at snark.net> wrote:
> 
> > So if I understand correctly, the solution you are advocating is to 
> > only answer non-spoofed queries?
> 
> It's one of them, yes. Though since it's hard for a DNS server to 
> distinguish between spoofed and genuine source IP addresses, the RRL 
> patch is the easiest way to get the same effect. Your server would then 
> respond to a teeny fraction of the thousands of queries per second from 
> the same (forged) IP address(es). Further measures will be necessary, 
> especially if/when the characteristics of the current attacks change to 
> make them less amenable to RRL dampening.
> 
> Sadly, there is no magic bullet which will solve this problem. A bunch of 
> countermeasures and defences are needed, some of which will be outside 
> the realm of network operations or the DNS protocol. This should not be 
> news to anyone here.

As far as I can tell there is no way to stop reflection attacks as
long as ISP's allow spoof traffic to enter their networks.  The
attackers will just go broad spectrum (millions of reflectors) and
no single reflector will be able to see that it is part of a attack.
It is possible to detect current reflection attacks and mitigate
them using RRL but this is only a stop gap measure which causes the
attackers to choose different refectors.

What we can do is turn off amplification attacks.  We know a number of
methods of how to do this. 

* set TC=1 on all UDP query replies and force the client to TCP. 
* do a handshake over UDP before sending amplified replies.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list