Instead of closing the open resolvers, can we just force queries from
external networks to use TCP? Say reply to queires from external
networks with a short truncate UDP to signal querier to turn to TCP? This
will help disable reflect amplification while leaving a door open for
legitimate users of
On 31 Mar 2013, at 10:30, Xun Fan wrote:
> So do you think "force TCP for external queries to OR" is a feasible
> solution to DNS reflect amplification problem?
It's a nice idea that's worth trying.
I'm not sure it will make a difference though. The bad guys won't bother to do
TCP for the obvi
On Mar 31, 2013, at 08:32 , Jim Reid wrote:
> On 31 Mar 2013, at 10:30, Xun Fan wrote:
>> So do you think "force TCP for external queries to OR" is a feasible
>> solution to DNS reflect amplification problem?
>
> It's a nice idea that's worth trying.
>
> I'm not sure it will make a difference
> From: Xun Fan
> to discuss here is TCP. Someone says TCP is expensive, but if we could
> afford entirely shutting down external queries, then two more RTTs to get a
> response seems trivial.
clientserver
1. DNS request/UDP -->
2. <-- DNS
if they won't close the open resolver, you think they're gonna force tcp
only?
randy
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc
On 31 Mar 2013, at 14:36, "Patrick W. Gilmore" wrote:
> CloudFlare, CacheFly, and a few other CDNs who anycast web server addresses
> would probably disagree.
Yeah. We both know we have had those discussions before Patrick and (hopefully)
agreed to disgagree. :-)
>> Keeping state for bazillio
On Sun, Mar 31, 2013 at 01:32:13PM +0100,
Jim Reid wrote
a message of 23 lines which said:
> Keeping state for bazillions of DNS TCP connections to a resolving
> server will present further challenges.
Only the DNS people think that. The HTTP people are used to many TCP
connections to manage
On Sun, Mar 31, 2013 at 02:30:50AM -0700,
Xun Fan wrote
a message of 90 lines which said:
> Instead of closing the open resolvers, can we just force queries
> from external networks to use TCP?
A very good idea, IMHO.
> Say reply to queires from external networks with a short truncate
> UDP
> From: Jim Reid
> I'm not sure it will make a difference though. The bad guys won't
> bother to do TCP for the obvious reason and will stick with their
> current, DNS protocol conformant, behaviour.
The bad guys would not be able to stick with anything. The idea
is to change all DNS servers t
On Sun, Mar 31, 2013 at 4:20 PM, Stephane Bortzmeyer wrote:
> > Keeping state for bazillions of DNS TCP connections to a resolving
> > server will present further challenges.
>
> Only the DNS people think that. The HTTP people are used to many TCP
> connections to manage and do not think it is im
On 31 Mar 2013, at 15:30, Vernon Schryver wrote:
>> From: Jim Reid
>
>> I'm not sure it will make a difference though. The bad guys won't
>> bother to do TCP for the obvious reason and will stick with their
>> current, DNS protocol conformant, behaviour.
>
> The bad guys would not be able to s
On Mar 31, 2013, at 7:58 AM, Jim Reid wrote:
> In this case, DDoS attackers would get those truncated responses sent to
> their victims. OK, they lose the amplification factor but they still get to
> flood the victim(s) with unsolicited traffic.
Just to be clear, this is true for any open UDP
On Mar 31, 2013, at 10:22 , Jim Reid wrote:
> On 31 Mar 2013, at 14:36, "Patrick W. Gilmore" wrote:
>> CloudFlare, CacheFly, and a few other CDNs who anycast web server addresses
>> would probably disagree.
>
> Yeah. We both know we have had those discussions before Patrick and
> (hopefully)
On 31 Mar 2013, at 15:20, Stephane Bortzmeyer wrote:
> On Sun, Mar 31, 2013 at 01:32:13PM +0100,
> Jim Reid wrote
> a message of 23 lines which said:
>
>> Keeping state for bazillions of DNS TCP connections to a resolving
>> server will present further challenges.
>
> Only the DNS people thin
> > Only the DNS people think that. The HTTP people are used to many TCP
> > connections to manage and do not think it is impossible.
> So we could abandon DNS/UDP and move exclusively to DNS/TCP?
No one said that it is "impossible" to handle lots of DNS/TCP connections.
It is a simple, unavoida
On 2013-03-31, at 12:09, Vernon Schryver wrote:
>>> Only the DNS people think that. The HTTP people are used to many TCP
>>> connections to manage and do not think it is impossible.
>
>> So we could abandon DNS/UDP and move exclusively to DNS/TCP?
>
> No one said that it is "impossible" to han
On 31 Mar 2013, at 17:09, Vernon Schryver wrote:
> What's the profit for the bad guy in spending 10 bps of botnet
> bandwidth to reflect 9 bps at the target?
Having the reflected traffic appear to come from trusted name servers instead
of his botnet perhaps? Though since the botnet almost certa
On Sun, 31 Mar 2013, Randy Bush wrote:
if they won't close the open resolver, you think they're gonna force tcp
only?
The open resolvers for the Fedora Project that are used by
dnssec-trigger does exactly that. It only allows TCP.
Not all open resolvers are run by brainless admins. And I
>> if they won't close the open resolver, you think they're gonna force
>> tcp only?
> Not all open resolvers are run by brainless admins.
between the brainless and those who don't read mailing lists or update
software, i fear enough will remain to keep us foaming at the mouth like
rabid racoons.
On Sun, Mar 31, 2013 at 5:32 AM, Jim Reid wrote:
> On 31 Mar 2013, at 10:30, Xun Fan wrote:
>
> > So do you think "force TCP for external queries to OR" is a feasible
> > solution to DNS reflect amplification problem?
>
> It's a nice idea that's worth trying.
>
Thanks!
>
> I'm not sure it wil
On Sun, Mar 31, 2013 at 7:18 AM, Stephane Bortzmeyer wrote:
> On Sun, Mar 31, 2013 at 02:30:50AM -0700,
> Xun Fan wrote
> a message of 90 lines which said:
>
> > Instead of closing the open resolvers, can we just force queries
> > from external networks to use TCP?
>
> A very good idea, IMHO.
>
On Sun, Mar 31, 2013 at 12:27:05PM -0400,
Paul Wouters wrote
a message of 18 lines which said:
> Not all open resolvers are run by brainless admins. And I
> believe open resolvers are crucial to the open nature of the
> internet.
There are two categories of open resolvers. The vast majori
On Sun, 31 Mar 2013, Stephane Bortzmeyer wrote:
Keeping state for bazillions of DNS TCP connections to a resolving
server will present further challenges.
Only the DNS people think that. The HTTP people are used to many TCP
connections to manage and do not think it is impossible.
People just
On Sun, 31 Mar 2013, Stephane Bortzmeyer wrote:
Say reply to queires from external networks with a short truncate
UDP to signal querier to turn to TCP?
Even better, allow only TCP from the beginning. This would completely
suppress the amplification (that you still have with the truncated
respo
On Sun, Mar 31, 2013 at 8:35 AM, Jim Reid wrote:
> On 31 Mar 2013, at 15:20, Stephane Bortzmeyer wrote:
>
> > On Sun, Mar 31, 2013 at 01:32:13PM +0100,
> > Jim Reid wrote
> > a message of 23 lines which said:
> >
> >> Keeping state for bazillions of DNS TCP connections to a resolving
> >> serve
> From: Paul Wouters
> Not all open resolvers are run by brainless admins. And I believe
> open resolvers are crucial to the open nature of the internet.
There is a much better case for open SMTP relays, but we all know
how that turned out.
More power to you if you can follow the lead of Go
I want to emphasize here that my proposal is to use TCP only for off-net
users, for all users inside the same network as OR, they just keep using
UDP.
As I said before, if there are millions off-net user, then the
administrator of the OR will make the judgement, probably won't close their
OR.
] V
Xun Fan wrote:
> I want to emphasize here that my proposal is to use TCP only for
> off-net users, for all users inside the same network as OR, they just
> keep using UDP.
i've been following this thread. i have not yet seen a motive for
offering ubiquitous wide area dns services, whether by udp
On Sun, 31 Mar 2013, Jim Reid wrote:
> Remember too that in these DDoS attacks truncated UDP responses would
> still be going to spoofed addresses. So those victims still get hit,
> albeit without the amplification factor of a chubby DNS response.
Yes. But there's no reason for them to abuse the D
Vernon Schryver wrote:
>> [Maybe TCPCT could help.]
>
> I don't see anything in https://tools.ietf.org/html/rfc6013 that reduces
> the costs of TCP for DNS.
there is no direct example showing this in RFC 6013, but it's there. let
me explain.
in TCPCT, the
Fred Morris wrote:
> On Sun, 31 Mar 2013, Jim Reid wrote:
>> Remember too that in these DDoS attacks truncated UDP responses would
>> still be going to spoofed addresses. So those victims still get hit,
>> albeit without the amplification factor of a chubby DNS response.
>
> Yes. But there's no r
I'm sure this must have been discussed at some point, somewhere.
The premise with regard to BCP38 + open resolvers is that the spoofed
packets reside on different networks than the resolvers. If these
resolvers are primarily CPE and other unmaintained equipment, then it
stands to reason that they
> From: Xun Fan
> What we discuss here is for those administrators who are willing to do
> something to their OR. Look at what options they have
> now:
> 1) keep open => DNS amp attackers are happy
> 2) close => no one can query from outside
The idea that those are the only alternatives is as mi
> From: Paul Vixie
> also, in TCPCT there's room for a payload in the SYN.
In theory there was also room for a payload in the TCP SYN before
popular defenses against syn-flooding.
> in practice this means a normal three way handshake for the first
> connection between an endpoint-pair, but the
Fred Morris wrote:
> I'm sure this must have been discussed at some point, somewhere.
yes.
> ...
>
> BCP38 filtering on egress from the network is ineffective in such
> scenarios because it is based on the assumption that the spoofed packets
> are coming in from outside the network (and hence o
For me, the use case is "research". Of course I won't ask for ubiquitous
dns service only for my research.
I just notice there are people who are reluctant to close resolvers and
this will leave more guns for attackers, so I think maybe there are middle
points that some of them could stand, having
In message , Fred Morris wri
tes:
> I'm sure this must have been discussed at some point, somewhere.
>
> The premise with regard to BCP38 + open resolvers is that the spoofed
> packets reside on different networks than the resolvers. If these
> resolvers are primarily CPE and other unmaintained e
* Jim Reid wrote:
> In this case, DDoS attackers would get those truncated responses sent
> to their victims. OK, they lose the amplification factor but they still
> get to flood the victim(s) with unsolicited traffic.
That does already happen in the wild. I was part of such an "TC=1" attack
and g
38 matches
Mail list logo
