[dns-operations] Configurable TC=1?

Dave Warren davew at hireahit.com
Sun Dec 20 22:14:10 UTC 2015

On 2015-12-20 10:16, Paul Vixie wrote:
> this won't help all victims of dns amplification attacks, since many 
> of the congestion points are measured in PPS not BPS. they need 
> attenuation, not just the absence of amplification. attenuation in 
> both PPS and BBS.

If all you care about (as an attacker) is causing high PPS, an attacker 
doesn't need to use DNS servers in particular, virtually any host that 
responds on TCP or UDP or ICMP will reply back with a single packet 
(even if it's just a refusal) will be sufficient for a reflection style 
PPS attack.

DNS is largely used because of amplification, which is a combined PPS 
and BPS attack.

Returning TC=1 has the unique advantage of allowing a DNS server to stop 
responding to the packets at all for a little while until/unless you see 
a TCP DNS query from the same host (after which point you might start 
answering UDP again, since you at least know the queries are from a DNS 
server and not a reflection attack)

>  that's what DNS RRL is designed to do. i've yet to hear a simpler 
> solution.

I agree that DNS RRL helps in the case of amplification. However, as I 
understand it, RRL only steps in for duplicate queries and in a pure PPS 
attack, an attacker can simply ask tons of different queries and 
partially side-step RRL. As attackers develop future techniques in the 
future, I expect both RRL and TC=1 will be useful in reducing the impact 
on victims.

Also potentially useful (although it would require wide deployment) 
would be if a victim could send out some sort of "I'm being attacked, 
stop responding to UDP queries" squelch, and after receiving such a 
packet, a DNS server would only respond with TC=1 responses, and only a 
small percentage of them (to ensure that this doesn't create a DoS 
mechanism), with the victim knowing to use TCP. Since DNS servers would 
still send periodic TC=1 queries, this would reduce the impact if an 
attacker sent out spoofed squelch packets since the resolver would 
quickly receive the TC=1 packets. Sending the same squelch instruction 
via TCP could allow a victim to indicate an end-of-attack, telling other 
DNS servers "don't force me to use TC=1 anymore"

Dave Warren

More information about the dns-operations mailing list