[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Tue Sep 6 10:45:36 UTC 2016 

Paul Vixie <paul at redbarn.org> wrote:
> Tony Finch wrote:
> >
> > In our case the problem was that a very large number of recursive servers
> > were being used as reflectors, and the spoofed queries were for a domain
> > hosted by us. So because they were legitimate clients, RRL was no help at
> > reducing the traffic on the authority servers. Fine, that's how it is
> > supposed to work.
>
> it was, though. "some help".

I think once the server got into an overload situation RRL made the
problem worse (or, at least, it was very busy having no useful effect),
since it caused more retry traffic from recursive servers that lost
answers (but they couldn't get answers anyway).

> so, i'd ask why you think RRL would be a necessary part of a TCB DoS.

I don't understand this question. I don't think that, and I don't think I
said anything along those lines. All I am saying is that minimal-any can
help in some situations when RRL can't help.

> your UDP load due to this attack that occurs via valid DNS clients would
> be reduced by RRL by as much as 2/3rds depending on your RRL
> configuration.

AIUI RRL would have reduced our UDP response rate, which would have
caused retries and therefore a higher UDP query rate. (Normally also a
higher TCP query rate, but not in this case because the responses were TC
whether RRL truncated them or not.) i.e. busy having no useful effect on
an overload from legitimate clients.

> i can publish the one line perl script that can do this to you or anybody from
> anyplace on the Internet, if you think that would be safe for the onlookers.

Even so, it is still useful to make my servers more robust against being
collateral damage in an attack aimed at someone else, and it is good to
make my servers less attractive for use in attacks on others.

> can we whiteboard this in vienna on september 30? or you can come to paris for
> m3aawg and vernon can whiteboard it for both of us.

I am in Cambridge :-) (My apologies to Austrians for making a joke out of
your ccTLD!) And I'm afraid we aren't a M3AAWG member.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Shannon: Variable 4, becoming cyclonic 5 or 6. Moderate or rough. Rain, fog
banks. Moderate, occasionally very poor.

More information about the dns-operations mailing list