[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Paul Vixie paul at redbarn.org
Tue Sep 6 00:16:42 UTC 2016 


Tony Finch wrote:
> Paul Vixie<paul at redbarn.org>  wrote:
>> if DNS RRL did that, it would be bad design, no matter whether the repeated
>> flows are dominated by queries from legitimate clients, or not.
>
> I didn't say that it was RRL's fault that the queries were pushed to TCP :-)

i know, and thanks for not blaming RRL for it. but, it shouldn't happen 
at all, which is a larger matter than who would be to blame if it happened.

>
> In our case the problem was that a very large number of recursive servers
> were being used as reflectors, and the spoofed queries were for a domain
> hosted by us. So because they were legitimate clients, RRL was no help at
> reducing the traffic on the authority servers. Fine, that's how it is
> supposed to work.

it was, though. "some help". it dropped some, it answered some, and it 
TC'd some. the result may have been a DoS against your TCB, but that can 
be removed from service with a one-line perl script by anyone on the 
internet, with low bandwidth and no spoofing. so, i'd ask why you think 
RRL would be a necessary part of a TCB DoS. your UDP load due to this 
attack that occurs via valid DNS clients would be reduced by RRL by as 
much as 2/3rds depending on your RRL configuration. is that last 1/3 of 
any importance to you, considering the massive overprovisioning your 
servers _must_ have in order to survive any normal DDoS against them?

>
> The problem was that the responses bust the EDNS buffer size, so the
> clients switched to TCP - lots of clients, enough to make the authorities
> sad.

i can publish the one line perl script that can do this to you or 
anybody from anyplace on the Internet, if you think that would be safe 
for the onlookers.

until the negotiated-close option to TCP/53 gets into wide deployment, 
no TCB will be safe, and noone should depend on TCP being available as a 
backup data path to their DNS server.

>
> With both minimal-responses and minimal-any pretty much all UDP responses
> fit within one packet. We're keen on that because we want to avoid
> provoking middleboxes that don't like fragments.

can we whiteboard this in vienna on september 30? or you can come to 
paris for m3aawg and vernon can whiteboard it for both of us.

-- 
P Vixie

More information about the dns-operations mailing list