[nsp-sec] Solutions for the DNS vul? - Suggestion

Yonglin ZHOU yonglin.zhou at gmail.com
Thu Jul 24 23:38:54 EDT 2008 

If ISP has traffic cleaning device, or anti-DDOS firewalls, that could
help because the attacks consists numbers of packets in short times
and the packets are all the same but the SN ID. Right?


On Fri, Jul 25, 2008 at 3:02 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * jonathan curtis:
>
>> 1. Two tier server architecture for all DNS cache systems.
>>         -  Larger ISP's have 20+ DNS Cache servers, this concept is to create a pool of 4-5 Cache Authority servers and point the 20+ caching servers to them for upstream resolution. Then place more protection and security measures on those 4-5 servers where performance isn't going to be as much of a concern.  This also provides for a good place to do DNS domain/name-server reputation and injection for phishing / botnet domains.
>
> Does really help because with most implementations, the real cost is
> in the cache miss.  And this gets expensive if you use multiple source
> ports, no matter what.  You could use a more efficient implementations
> on the out resolvers, though.
>
>>         - Implement NIDS/NIPS/other products in front of the
>>         Auth-Cache servers.
>
> I guess there won't be any signatures for attacks in general, only for
> specific tools. 8-(
>
>> 2. Implement TLD's within your AS - a shorter path to the right
>> answer might beat out a wrong answer ... < John K.  This might be
>> the key to justifying it. >
>
> In my lab tests, the RTT did not have significant impact on the time
> to success.  It gets more difficult when you approach 0ms, of course,
> but how realistic is that for a large AS?  In the 20ms range, the
> attack is still totally feasible.  And the smaller ASes probably can't
> get TLD servers.
>
> You can make your resolvers authoritative for the root, though.  Some
> give explicit permission to transfer the zone from their servers.
>
> --
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
>



-- 
-------[CNCERT/CC]-----------------------------------------------
Zhou, Yonglin 【周勇林】
CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
Tel: +86 10 82990355 Fax: +86 10 82990399 Web: www.cert.org.cn
Finger Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
-----------------------------------------------[CNCERT/CC]-------

More information about the nsp-security mailing list