[dns-operations] DNS amplification attacks in draft-ietf-savi-threat-scope-08

[Danny McPherson]

Good catch Stephane, comments below..

On 2013-05-16 01:44, Stephane Bortzmeyer wrote:
> IETF document
> 
> <http://www.rfc-editor.org/internet-drafts/draft-ietf-savi-threat-scope-08.txt>
> (approved by IESG and currently in the RFC Editor Queue) contains:
>
>>   DNS is one of the common targets of such attacks.  The
>>   amplification factor observed for attacks targeting DNS root and
>>   other top level domain name infrastructure in early 2006 was on
>>   the order of 76:1.

I'm not sure where the 76:1 came from at the time (phew, this I-D has 
been around a long time) and I agree a reference sure would be helpful.  
I _think what it was meant to capture was the attacks and vector 
conveyed here in S2.3 et al here:

<http://www.verisign.com/static/037903.pdf>

> Two things puzzle me: I'm not sure of what attack they are referring
> to since there is no reference in the RFC. Is it the one discussed in
> tge "DNS deluge for x.p.ctrc.c" thread on the NANOG mailing list in
> february 2006?

I don't believe so.  I believe it was the one referenced above but 
we're talking about ~72:1 rather than 76:1.

> And the second is the mentioned amplification factor. All the DNS
> servers I know limit the size of the UDP answer to 4 096 bytes, 4 144
> with the IPv4 and UDP headers. A factor of 76:1 needs requests 
> smaller
> or equal to 54 bytes, which leaves only SIX bytes for the DNS
> message... How did they reach this number?

Fortunately, it's been sitting on the AUTH48 publication ack email for 
a bit so I don't think it's too late to correct the number and add a 
reference.  Let me see what I can do.

Thanks much!

-danny


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs