[dns-operations] DNS reflection useful without amplification? (was: if you're banning ANY queries, don't forget to ban SOA as well)

Damian Menscher damian at google.com
Wed Sep 7 05:20:06 UTC 2016 

On Tue, Sep 6, 2016 at 8:16 PM, Shane Kerr <shane at time-travellers.org>
wrote:
>
> At 2016-09-06 18:43:23 -0700
> Paul Vixie <paul at redbarn.org> wrote:
> > that could be fixed by always-return-TC on UDP ANY. but that would make
> > ANY no less useful for DDoS, since reflection is the primary virtue, and
> > amplification is a nice-to-have.
>
> I've seen you make this claim several times, which is to say that the
> main benefit to an attacker is not amplification but rather reflection.
>
> In the past I've said that this seems dubious to me. After all, an
> attacker that can use reflection can already spoof the source address
> of their packets. Nevertheless I am wrong at least once every day
> before breakfast, so I am happy to admit that I am wrong about this.
>
> So... can you or anyone else provide any some convincing evidence for
> the utility of DNS reflection to an attacker? Has anyone seen their
> servers be used in non-amplification DNS reflection attacks? Has anyone
> been the victim of a non-amplification DNS reflection attack? (Of
> course neither of those would actually prove real value to an attacker,
> since people do things that don't help all the time, but at least it
> means that attackers *think* that it has value.)
>

You're essentially correct... nearly all the value of DNS reflection is in
the amplification.  If amplification weren't possible, it's highly likely
they'd switch to some other protocol.  This is because amplification allows
for asymmetry in the attack -- an attacker who controls 1Gbps can take down
a 40Gbps datacenter.

Those who claim reflection is sufficient are considering various minor edge
cases:
  - Perhaps the victim is a home user with only a 100Mbps connection.  In
that case amplification is unnecessary.
  - A victim with multiple upstreams might suffer only a partial loss from
a direct attack saturating one link, while a reflected attack would
naturally spread across their upstreams.
  - Launching attacks "from" the victim might generate abuse complaints,
etc.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160906/993e210f/attachment.html>

More information about the dns-operations mailing list