[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Damian Menscher damian at google.com
Sun Sep 4 01:42:42 UTC 2016


1:1 isn't a concern.  At that point the attacker could just hit the victim
directly.

RRL applied at authoritative servers doesn't accomplish anything -- all
amplification attacks reflect off recursive resolvers, not authoritative
servers.

I do agree that blocking ANY doesn't achieve much (I've seen amplification
via TXT and even A records), but think we're wasting time arguing blocking
ANY vs deploying RRL vs minifying responses vs getting rid of open
recursive resolvers.  The real answer is to insist transit providers
perform traceback and filter their abusive customers.  It's just a matter
of providing them the right incentives....

Damian

On Sat, Sep 3, 2016 at 10:59 AM, P Vixie <paul at redbarn.org> wrote:

> Yes! In fact 1:1 at the packet level is enough for effective ddos, even if
> it's attenuative at the octet level.
>
> This is why DNS RRL attenuates at both the packet and octet levels.
>
> The proponents of blocking ANY have not modeled the attackers' goals, nor
> their alternatives.
>
> Blocking ANY is silly.
>
> Vixie
>
> On September 3, 2016 10:07:24 AM PDT, Roland Dobbins <rdobbins at arbor.net>
> wrote:
>>
>>
>> On 3 Sep 2016, at 23:30, Shane Kerr wrote:
>>
>>  Setting "minimal-responses" in BIND 9's named.conf should fix this.
>>>
>>
>> Paul's real point is that just about any (heh) DNS record can be used
>> for some degree of reflection/amplification.
>>
>> A corollary is that most reflection/amplification attacks - in point of
>> fact, most DDoS attacks in general - are gratuitous examples of
>> overkill.  1:1 reflection alone would meet the obfuscatory needs of most
>> attackers and still get the job done conformant to requirements.
>>
>> ------------------------------
>>
>> Roland Dobbins <rdobbins at arbor.net>
>> ------------------------------
>>
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160903/3d700ec6/attachment.html>


More information about the dns-operations mailing list