On Thu, 16 Jul 2015 21:41:37 -0000, Shane Kerr wrote:
>All,
>
>Replying to both John & Ray's mails at once here. Hopefully that is
>okay.
>
>On Thu, 16 Jul 2015 17:22:38 +0100
>Ray Bellis <r...@bellis.me.uk> wrote:
>
>> On 16/07/2015 17:10, John Dickinson wrote:
>> >
>> >
>> > On 14/07/2015 11:31, Shane Kerr wrote:
>> >>
>> >> Second, one possible issue for consideration is that it is already a
>> >> problem for resolver operators that a single query can cause a *lot* of
>> >> work for the resolver. This issue can be magnified with TCP pipelining:
>> >> a bad actor can connect to a resolver and queue a ton of queries in a
>> >> few packets (consider how many queries will fit in 1460 bytes).
>> >
>> > Do you feel this is worse than flooding a server with UDP? Should we
>> > have rate limiting?
>
>I think it is worse than flooding with UDP. It allows "fire and forget"
>actions from clients:
>
> # we can comfortably fit 20 queries into a single 1280-byte packet
> for i = 1 to 20:
> packet.append(EXPENSIVE_QUERY)
> conn = socket.connect_tcp("someserver", port=53)
> conn.write(packet)
> # the process can quit and the queries still go...
> exit(0)
>
>If you have (for example) a maximum of 5 queries per client, then as
>soon as one finishes you'll start another one. All from a 7-packet
>exchange on the client side, versus a 40-packet exchange with UDP.
>(See, TCP can be more efficient!!!)
>
>The goal of this could be load on the resolver, load on upstream
>authoritative servers, or something more creative....
I think one has to be careful comparing TCP and UDP attacks here.
Yes, this is a DoS attack. The question is not can TCP be used to
attack, but is it WORSE than UDP? Or how is it better and worse?
You say 7 packets vs. 40 packets. When under DoS, is DNS per-packet
constrained or bitrate-constrained? With modern routers my
understanding is it's usually bitrate not packet count that is the
limit. Bitrate is about the same for UDP vs. TCP.
Both UDP and TCP will have to do application-level rate limiting.
The neat thing about TCP is rate limiting is far easier
because your 7 packets are all unambiguously from the same source.
(As opposed to UDP where the attacker will be spoofing the source
address.)
Liang Zhu did some testbed experiments of DNS under UDP and TCP
attacks---we found that DNS/TCP can be quite a bit more robust to DoS
than UDP when one takes basic defenses like the HTTP people do (that is:
rate-limit queries per connection, connections per IP, and use SYN
cookies). See Figure 4 and section V-B in
http://www.isi.edu/~johnh/PAPERS/Zhu15b.pdf for graphs.
(These do not include your specific attack, but do consider spoofing and
non-spoofing.)
Use of TCP will require hardening DNS servers' TCP compared to today.
But in today's hostile Internet, such hardening seems necessary anyway.
-John Heidemann
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
