[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

[Roland Dobbins]

On 4 Sep 2016, at 11:07, Damian Menscher wrote:

> To what end?  If they want to obfuscate the source IP, why not simply 
> spoof the source IPs in a direct attack?

For meany reasons, including path obfuscation (e.g., making 
traceback/filtering more difficult), obfuscating outbound attack traffic 
on its origin networks, maximizing attack source path diversity, etc.  
Also, blind copying.

That being said, I've been seeing an uptick over the last 18 months or 
so in attacks launched using straight-up UDP packet-cannons on 
higher-bandwidth links, no spoofing at all.

> I maintain that amplification is key -- reflection is just a means to 
> an end.  (Reflection potentially makes
> traceback slightly harder,

Amplification is key for most attackers, even though in many cases, they 
don't need it.

'Key' <> 'actually necessary', which is the real point.

> but it's hard to imagine any attacker caring about that.)

Some do.  The majority of attackers simply a) concentrate on volume and 
b) use what seemed to work before, irrespective of its suitability to 
task.

But not all of them.  And the attack methodologies vary over time based 
on successes (planned or accidental) of more clueful attackers.

> No.  Most attacks amplify off recursive resolvers

You're generalizing your particular experience.  I don't have a feel for 
the relative stats, but a not-insignificant proportion of DNS 
reflection/amplification attacks are initiator ---> authoritative ---> 
target.

> and those do a single authoritative lookup which they then cache for 
> its TTL.  RRL does nothing to help in this case.

Not all open recursors have 'normal' TTLs.

> I understand that RRL can help in the case of amplification directly 
> off authoritative servers, but I've never seen an attacker do that (or 
> perhaps
> just didn't notice).

I see it quite frequently.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>