[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Damian Menscher damian at google.com
Mon Sep 5 14:47:25 UTC 2016

On Mon, Sep 5, 2016 at 12:33 AM, Paul Vixie <paul at redbarn.org> wrote:
> Shane Kerr wrote:
> ...
>> * DNS Gurus become enraged.
>> It's that very last step that confuses me.
> let me start from the beginning.
> this kind of continuous low-grade non-kinetic warfare is actually a form
> of economics. there will be no decisive victory or loss for anybody -- no
> matter what, the defenders will continue to defend, and the attackers will
> continue to attack, and each will whenever necessary seek new methods, and
> each will whenever possible drive their own costs down and benefits up,
> and/or drive the other's costs up and benefits down.
> when you as a defender block ANY you incur some cost in complexity and
> time. that cost is less than the attacker's projected costs of changing to
> some other RR type. (likely a one-line change to their python script.)
> saying that this "works" is self-deceptive.
> recommending that others do likewise is enragingly others-deceptive.
> I mean, an attacker can defeat RRL as well, but I don't see repeated
>> attempts to convince people not to use RRL.
> bypassing RRL is not a one line change to a python script. do the math and
> use that math to support an economic model that compels some kind of action
> (or inaction).

Oooh, I took math and economics in high school!  Mind if I turn your
argument against you?  ;)

1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or
any other record.  Enabling RRL doesn't fix this because...
2) Amplifying off recursive servers rather than authoritative servers
bypasses RRL.  This is a trivial change for the attacker.  Shutting down
open recursives isn't economically viable because...
3) The Open Resolver Project sees well over 10M open recursives.  An
attacker needs ~10k to launch a successful attack.  So we need to shut down
99.9% before they even need to change a line of code.  But even then, we've
achieved nothing because...
4) DNS amplification is actually old-school --- the new hotness is
amplifying off NTP or SSDP.  There are several other protocols as well (and
it's likely new ones will continue to be created).

My proposal passes the math/economics sniff test:

There are ~500 ASNs that fail to filter spoofed traffic to the internet
(due to lack of BCP38 compliance).  Most spoofed attacks originate from
only a dozen of them.  If we get those cleaned, the attackers need to
expend effort to find a new network to spoof from.  This is a bit harder
than changing a script, and gets increasingly difficult for them as we
clean up the abusive networks.  If we got transit providers on board with
caring about the health of the internet rather than the number of octets
they carried, they could probably end this discussion in a matter of weeks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160905/521064ec/attachment.html>

More information about the dns-operations mailing list