[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Wed Sep 7 14:04:22 UTC 2016

Paul Vixie <paul at redbarn.org> wrote:
> > I was describing what is covered in section 4.1 of
> > http://ss.vix.su/~vixie/isc-tn-2012-1.txt
> i do not expect the real clients to repeat their queries more than once per
> TTL. statistically that means you won't see many UDP-to-TCP upgrades as a
> result of the TC=1 responses you're sending out.

The authoritative servers are overloaded because there are too many TCP
clients. There are too many TCP clients because there are huge numbers of
recursive resolvers requesting big answers. The queries from huge numbers
of recursive servers happen because the recursive servers are being abused
by attackers. The resolvers can't get any answers, so they are retrying N
times then returning a failure to their "clients" (attackers), without
cacheing - there are no answers so no TTLs. The attackers are continuing
to hammer away so the resolvers send more queries to the authorities.

RRL is designed to make legitimate clients try harder in the face of an
attack, but that is not helpful when the server is overloaded.

> > If minimal-any is wrong, what should I have done instead?
> nothing. treat ANY as strategically valuable attack-signature that is
> presently useful in traceback activities, and must be preserved for that
> purpose, unless you can move us to an end-game scenario where there is
> no obvious next move for the bad guys.

So I have:

* RRL to deal with most direct reflection attacks

* minimal-responses to avoid fragmented UDP
  (which also avoids packet count amplification)

* minimal-any to close a loophole in minimal-responses

Even if an attacker exploits the RRL random-NXDOMAIN loophole, they'll not
get packet count amplification from me. I've done what I can to limit
byte count amplification short of switching to ECDSA :-)

If everyone does that, then DNS is no longer a packet amplifier, which I
think is an improvement.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire: Easterly or southeasterly 4 or 5,
occasionally 6 later. Slight or moderate. Rain, fog patches. Moderate,
occasionally very poor.

More information about the dns-operations mailing list