On Sat, 18 Jul 2015 10:27:41 -0700, Paul Vixie wrote: > > > >John Heidemann wrote: >> ... >> I think one has to be careful comparing TCP and UDP attacks here. >> >> Yes, this is a DoS attack. The question is not can TCP be used to >> attack, but is it WORSE than UDP? Or how is it better and worse? > >in this solution space, possible outcomes are "better", "worse", "no >change", "not better", and "not worse". i think shane is arguing for >"never better and sometimes worse" here.
Correct. And I'm suggesting that (1) there's a misstep in that argument. He equates full-size TCP packets with short UDP packets to reach his "sometimes worse" claim. And I'm also suggesting (2) TCP allows a path to MUCH better against DoS. >> You say 7 packets vs. 40 packets. When under DoS, is DNS per-packet >> constrained or bitrate-constrained? With modern routers my >> understanding is it's usually bitrate not packet count that is the >> limit. Bitrate is about the same for UDP vs. TCP. >> >> >> ... > >if it were in our power (or especially in amazon's or google's or >akamai's power) to cause the internet to be made up of mostly modern >routers, then it would be so. alas, it is not in our power, and the >internet will always have a long tail of routers we wish didn't exist >any more. thus the aphorism, "the least reliable and most expensive part >of the internet is OPM -- other people's networks." > >for dns, we must design for the internet we will always have, not the >internet we will always want. and on the internet we have, packets per >second are a common bottleneck, such that an attacker knows they can >reliably deny service with a small number of small packets, which do not >saturate any link, but which do saturate the kinds of routers and >firewalls people actually do still buy and use today. I agree, we need to prevent "an attacker knows they can reliably deny service with a small number of small packets, which do not saturate any link". But that is not *Shane's scenario*. Shane's scenario was 7 FULL-LENGTH TCP packets vs. 40 SHORT UDP packets. That is what I meant by "bitrate is about the same for UDP vs. TCP". Shane's attack is not a shrew-style attack on TCP---he IS saturating the link, just with aa few big packets instead of many short packets. The first point you were making is we cannot change the routers: >if it were in our power (or especially in amazon's or google's or >akamai's power) to cause the internet to be made up of mostly modern >routers, then it would be so. alas, it is not in our power, and the >... >or dns, we must design for the internet we will always have, not the >internet we will always want. and on the internet we have, packets per >second are a common bottleneck, >... Agreed, we cannot upgrade other people's routers. But, I'm sorry, if you're running DNS on an old router, you're trivially DoS-able today. Millions of insecure computers to tens of Mb/s uplinks. It only takes a couple to saturate a link, either in packets or bits. My second point was (2) TCP allows a path to MUCH better. Your reply elided that part of my post, which was: >> Liang Zhu did some testbed experiments of DNS under UDP and TCP >> attacks---we found that DNS/TCP can be quite a bit more robust to DoS >> than UDP when one takes basic defenses like the HTTP people do (that is: >> rate-limit queries per connection, connections per IP, and use SYN >> cookies). See Figure 4 and section V-B in >> http://www.isi.edu/~johnh/PAPERS/Zhu15b.pdf for graphs. >> (These do not include your specific attack, but do consider spoofing and >> non-spoofing.) Let me state the advantage more explicitly: With UDP and spoofed source addresses, each attacker gets to hit you with their full line rate, AND you have to service all the queries. This exhausts your incoming bitrate, packet rate, or CPU speed depending on how you're configured. With TCP, you get a whole bunch of defenses: - Spoofing is prevented with SYN cookies, so a spoofing attacker never gets to hit you with Shane's full length packets in the first place. The spoofed IPs are stopped at the SYN with NO state on the defender's server. SYNs are much faster to handle than full DNS queries. In our scenario, 1 or 2 UDP attackers could flood our small server at about 300k queries/s. But we could easily handle 250k SYNs/s with SYN cookies. (The kernel turns them around without any application involvement.) - No spoofing forces the attacker to reveal each zombie's identity. Now that attackers have to show their identity (no spoofed source addresses!), you can do MUCH EASIER rate limiting. Start by limiting concurrent connections per source IP. The attacker now must deploy 6000 zombies where 2 or 6 would do before. To prevent Shane's attack, one also has to rate limit queries per connection. We didn't consider this specific attack, but I think the defense follows. The numbers and graphs I quote above are in Figure 4 and section V-B in <http://www.isi.edu/~johnh/PAPERS/Zhu15b.pdf> if you want details about our setup. This data supports the the claim that TCP can be "better". I still don't see a complete "sometimes worse" argument. -John Heidemann _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
