[dns-operations] Storm on the DNS
Dave Warren
davew at hireahit.com
Wed Dec 16 03:51:48 UTC 2015
TCP adds significant overhead for normal operation with queries that fit
within a single packet, and at least to me, the current UDP-first,
TCP-fallback-when-needed model seems like it could scale out to help
address reflection attacks by forcing TCP only when really needed.
Smarter minds than mine might comment, but to me, if going pure-TCP
would help, setting TC=1 will tend to push existing traffic over to TCP
now, and as I understand it, these packets are small enough to avoid
reflection attacks.
The biggest problem I see with going TCP is that you can simply drop a
majority of UDP packets in a DDoS situation and still have a somewhat
functional server if clients make 3-4 retries, whereas with a 3-way
handshake and other ACKs required to even get the question, packet loss
makes TCP services more susceptible to DoS attacks. There might be ways
to overcome this with SYN cookies and TCP connections that stay
connected, I genuinely don't know, but all of this adds a lot of
overhead over the UDP model.
Plus, if we're going to replace something as fundamental as DNS in any
major way, BCP38 will cause a lot less pain overall and might well kick
the replace-DNS can far enough down the road while mostly solving the
current DDoS capabilities.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
On 2015-12-15 16:45, Yonghua Peng wrote:
> May I suggest the next generation DNS protocol should be TCP based?
> like what HTTP DNS does.
> UDP stuff is too easy to be attacked. Thanks.
>
> On 2015/12/16 星期三 6:34, Frank Bulk wrote:
>> Great posting by Duane here:
>> http://www.circleid.com/posts/20151215_verisign_perspective_on_recent_root_s
>>
>> erver_attacks/
>>
>> Frank
>>
>> -----Original Message-----
>> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>> Behalf
>> Of Stephane Bortzmeyer
>> Sent: Tuesday, December 15, 2015 4:17 AM
>> To: dns-operations at dns-oarc.net
>> Subject: Re: [dns-operations] Storm on the DNS
>>
>> On Mon, Nov 30, 2015 at 09:13:11AM +0100,
>> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
>> a message of 10 lines which said:
>>
>>> Starting around 0700 UTC, several root name servers seem to have
>>> problems.
>> A discussion on Bruce Schneier's blog
>> https://www.schneier.com/blog/archives/2015/12/attack_against_.html
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list