[nsp-sec] DNS DDoS uptick

Florian Weimer fweimer at bfk.de
Tue Apr 7 14:17:34 EDT 2009 

* Rodney Joffe:

> This "feels" like a sea change in the environment.

Do you know the motivation behind the two attacks (or have you got a
good guess)?

DNS-based DoS attacks have been going around for some time.  For
instance, it's been reported that in November 2008, InternetX was
under a heavy attack.  Recently; someone has reported an apparent
attack on another (smaller, methinks) German DNS provider.  Maybe the
two attacks you've experienced are just part of this.

And as Chris pointed out, it's hard to tell how much of the damage has
been caused by relative unpreparedness of the targets.  (Perhaps a few
lessons can be learnt from those who deal with attacks an virtual
webhosting farms, like how to isolate the target when the attack is at
a target-agnostic network layer?)

There are also some interesting things.  For instance, I believe no
one so far has publicy (or privately) described attacks which are
reflected through recursors, forcing cache misses by querying
subdomains.  Curiously, implementing BCP 38 and BCP 140 does not stop
this at all.  You don't even need to compromise endpoints to generate
the traffic---a popular web page containing a bit of Javascript (or
lots of dynamically generated img tags) is sufficient.  With Java
applets, very few, well-connected clients suffice.  Or you can reflect
the attack through miscconfigured CPEs (as reported here).

>From a resolver operator perspective, filtering out the attack traffic
and not responding to it is really painful because it leaves lots and
lots of queries waiting for responses from the upstream name servers,
likely impacting non-attack queries.  In theory, this is a good thing
because it's always good to shift the pain closer to the source.
However, with popular DNS software, operators may be quite limited in
what they can do to deal with the attack.

There might be some way to make resolvers more generous to the network
at large (by limiting upstream transactions to individual servers more
agressively), but this type of attack seems quite difficult to
address.  Synthesizing negative responses using DNSSEC might help
here, but more sophisticated attacks will still work against parties
who serve large numbers of zones.

My personal opinion (and you probably won't like it) is that this
issue, even in a much escalated variant, can be dealt with by several
steps:

  - a widely replicated root of a limited size (replication must
    remain feasible)

  - use of per-country or regional TLDs for most services, with
    dedicated name service (so that attacks on the TLD name service
    can be mitigated locally, and non-local traffic can be filtered
    graciously)

  - important services must have backup name service on the same
    network(s), not just centralized, external DNS service

Some of the services/setups I use regularly aren't too far away from
that.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the nsp-security mailing list