[dns-operations] Configurable TC=1?
dns at fl1ger.de
Wed Dec 23 09:07:46 UTC 2015
On 21 Dec 2015, at 22:58, Paul Vixie wrote:
> when planning defense, it's best to think at least one step ahead. so,
> before you invest in a
> point solution such as redirecting qtype=ANY to TCP, i suggest
> figuring out what the bad guys
> will do as their response. if what they can do is cheap for them and
> expensive for you, then it
> may be a fool's errand to invest in that point solution.
> the TXT response for nether.net is 306 octets. that's 5X amplification
> factor (BPS), which is
> relatively common since there is an SPF RR there. qtype=ANY is not
> required for a successful
> amplification attack against that authority server, so if it stops
> working, i would expect the
> bad guys to simply "adapt".
Could be, but so far most amplification has been using ANY or straight
lots of (>250) A records, which gives the same result. Seems like there
are more script kiddies out there than intelligent attackers, so you
need a way to defend against them.
> adapting to DNS RRL is not impossible, but it is at least marginally
> harder than switching to a
> non-DNS attack vector, so, it's good enough for now while we figure
> out the right way to
> incentivize more BCP38 deployment.
Neither RRL nor playing around with ANY special handling are enough to
deal with all attack scenarios. I think they both plus other
tools/techniquies belong into a toolset that one should have available
when dealing with attacks.
More information about the dns-operations