[dns-operations] Configurable TC=1?

Ralf Weber dns at fl1ger.de
Wed Dec 23 09:07:46 UTC 2015


On 21 Dec 2015, at 22:58, Paul Vixie wrote:
> when planning defense, it's best to think at least one step ahead. so, 
> before you invest in a
> point solution such as redirecting qtype=ANY to TCP, i suggest 
> figuring out what the bad guys
> will do as their response. if what they can do is cheap for them and 
> expensive for you, then it
> may be a fool's errand to invest in that point solution.
> the TXT response for nether.net is 306 octets. that's 5X amplification 
> factor (BPS), which is
> relatively common since there is an SPF RR there. qtype=ANY is not 
> required for a successful
> amplification attack against that authority server, so if it stops 
> working, i would expect the
> bad guys to simply "adapt".
Could be, but so far most amplification has been using ANY or straight 
lots of (>250) A records, which gives the same result. Seems like there 
are more script kiddies out there than intelligent attackers, so you 
need a way to defend against them.

> adapting to DNS RRL is not impossible, but it is at least marginally 
> harder than switching to a
> non-DNS attack vector, so, it's good enough for now while we figure 
> out the right way to
> incentivize more BCP38 deployment.
Neither RRL nor playing around with ANY special handling are enough to 
deal with all attack scenarios. I think they both plus other 
tools/techniquies belong into a toolset that one should have available 
when dealing with attacks.

So long

More information about the dns-operations mailing list