[nsp-sec] DNS DDoS uptick

Florian Weimer fweimer at bfk.de
Mon Apr 20 09:05:51 EDT 2009 

I should say that my little list was intended as something for
emergency purposes only.

* Chris Morrow:

>>  - a widely replicated root of a limited size (replication must
>>    remain feasible)
>
> as in . not sun.com. right? (though pushing out sun.com. to many
> anycasted or 'local' places has its merits as well, I think. and
> associated tradeoffs with management of course.)

The problem with anycast is that the number of sites which can use it
is limited due to routing table size considerations.  And without
DNSSEC, there's a trade-off between availability and data
integrity---any additional DNS provider is a potential party which
might send your packets the wrong way (think what happened to many
.gov sites in 2007/2008, or the myriad of protocol compliance issues
in homegrown DNS implementations, which seem to be particularly common
among third-party DNS providers).  Concentration of DNS service
further down the tree is a really bad thing, IMHO.

>>  - use of per-country or regional TLDs for most services, with
>>    dedicated name service (so that attacks on the TLD name service
>>    can be mitigated locally, and non-local traffic can be filtered
>>    graciously)
>
> This seemed like a great idea 'back in the day' but everyone
> essentially bought .com domains :(

In the U.S., yes.  Some ccTLDs are fairly active (with real users, not
just typosquatters).  In the U.S., you've also got the problem that if
an attack is sourced locally from your client population, you'll have
quite a bit of difficulty fending it off because your infection rate
is not exactly low.

>>  - important services must have backup name service on the same
>>    network(s), not just centralized, external DNS service
>
> can you define this a little better? I think it's important to have
> DNS servers in more than one location (network and geography) but is
> that what you meant here? or 'all of sun.com's nameservers should be
> in sun's network'??

"Some of sun.com's nameservers should be on Sun's network."

Some off-net DNS service is probably a good idea (to help the many
broken resolvers out there).  But I don't understand why some
organizations which value availability rely exclusively on external
DNS service.

> Clearly pointing all of your DNS servers into register.com was a
> 'bad plan' last week :( but if you are the attackee you'd have just
> brought the pain to register.com & 'otherprovider' :(

The idea is that sun.com suffers a significant outage only if Sun
itself is attacked.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the nsp-security mailing list