> From: Tony Finch <d...@dotat.at>
> I don't think "diffuse" is the right word - this kind of attack can be
> very intense.
agreed, it's only diffused among qnames and qtypes.
> If you have a large domain signed with NSEC it's trivial for
> an attacker to enumerate the domain, and RRL will not treat this as an
> attack. Or of you are a large scale DNS hosting provider the attacker can
> get a list of domains you host from copies of TLD zones. Having got a list
> of names, the attacker can then reflect lots of traffic via your server
> which will be treated as OK by RRL.
It would be easy to change the RRL patch to have yet another optional
rate limit counting all non-error responses to an IP address block
if they were the same.
It would have some negative aspects:
1. Under that kind of attack, the TC=1 "slipping" is worse than useless,
and so it would not trigger the TC=1 responses.
2. Targets of the reflection attack would get no DNS service at all
unless they magically know to switch to TCP.
3. One can argue that this kind of defense belongs in a firewall
that understands nothing about DNS except rate limiting based
on source IP address and destination port 53.
4. It would double the memory spent on counting responses.
The amount of memory required to count responses on very busy
(10K or 100K qps) DNS servers has always been a concern.
It is why the RRL patch saves a 4-byte hash of the qname instead
using a 256 byte block (or worse, dynamically allocating space
for each qname). However, it's only a factor of 2.
I use the argument of #3 to respond to observations about the high
costs of DNS/TCP and objections to TC=1 slipping. At sufficiently
high rates, a DNS/TCP DoS attack looks like TCP SYN flooding. TCP SYN
flooding is commonly handled without bothering the application and
without allocating or timing-out a TCB in the either kernel or a
firewall.
Vernon Schryver v...@rhyolite.com
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
