[dns-operations] Configurable TC=1?

[Anand Buddhdev]

On 21/12/15 06:04, Paul Vixie wrote:

> ddos traceback often relies on hop by hop utilization curve
> matching. thus, reflection is useful
> for hiding attack sources, due to signal dispersion.
> 
> we need attenuation in all reflectors, measured in both BPS and PPS.

These are VERY important points. Paul advocates RRL all the time, and it
is a useful countermeasure. However, I would go one step further. I
would say that name servers should simply NOT respond at all over UDP if
they are queried for a zone they're not authoritative for.

A recent attack I witnessed involved flooding the victim name server
with *responses*. These came from random name servers on the Internet,
which were replying with:

1. NOERROR (upward referral)
2. REFUSED
3. SERVFAIL
4. ICMP port unreachable

The attacker was just sending queries for a domain that none of these
servers were carrying (and some weren't even running a name server), and
so the victim address was flooded with one of the above.

When DJB introduced tinydns, and it refused to respond to zones it
wasn't authoritative for, people howled "non-standards compliant" at
him, but he had the right idea. A name server shouldn't just always
respond. Some name servers, such as root name server, will of course
always have a response, but they are special. Most other servers have no
business responding to junk sent their way.

Regards,
Anand