[dns-operations] Slow Drip DDOS Attack Research

Renee Burton rburton at infoblox.com
Wed Nov 7 18:26:13 UTC 2018


I'm not sure how to interpret the RRL comments; but, yes, I agree RRL good, RRL designed. __

For the open resolvers, you are spot on. The first paragraph describes the "simplest form" and widely accepted description of the attack. But, if you turn to page 11 you'll see your point exactly:

"Another odd characteristic of ExploderBot is the selection of destination IPs, or server IPs, for the attack requests. The published theory of this technique surrounds the central assumption that the attack leverages open resolvers to diffuse and obfuscate the requests to the authoritative name servers..... Our analysis indicates, however, that ExploderBot requests are not sent to a notable percentage of open resolvers. The evidence we have indicates that the majority of requests are destined for IPs that are not open resolvers, and that many are not listening on port 53 at all."

There is a lot of lore in cyber, as you mostly recently discussed in the newly observed domains paper. Our interest in this paper, and my interests in general, are putting cyber in the context of data and scientific method.  The technical details we've provided gives everyone with DNS data the ability to go find, reproduce, improve, or challenge our conclusions based on data, not belief.  We also left several open questions. 

Thanks for reading and engaging. Renée

On 11/7/18, 12:59 PM, "Paul Vixie" <paul at redbarn.org> wrote:

    from page 2 of the PDF:
    > The Slow Drip attack is designed to target an authoritative name
    > server. In its simplest form, a large volume of DNS requests are sent
    > to open resolvers requesting the resolution IP (the A 8 record) of
    > random subdomains of a registered domain. The random hostnames, or
    > domain prefixes, serve the purpose of ensuring that the queries are
    > forwarded to the authoritative name servers through the global DNS.
    > As the requests cascade into the authoritative name servers, they
    > return NXDOMAIN (rcode=3) responses, but ultimately the servers are
    > overwhelmed.
    this is why DNS Response Rate Limiting (DNS RRL) uses a smaller default 
    for negative limits than for positive ones. note, again, that the 
    defaults are carefully considered, and likely won't benefit from tuning.
    i also question whether open resolvers are truly nec'y for this attack. 
    opendns and google do a lot of rate limiting and have 24x7 human 
    coverage to detect anomalies. i have to assume that IBM and CloudFlare 
    do the same, or else we'd have heard about other amplification attacks 
    through those open recursives before now.

More information about the dns-operations mailing list