North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS deluge for x.p.ctrc.cc

  • From: Joe Abley
  • Date: Sun Feb 26 12:04:27 2006

On 25-Feb-2006, at 03:41, [email protected] wrote:

Limit UDP queries to 512 bytes.  This greatly decreases the
amplification affect, though it doesn't stop it.
	<limiting UDP to 512 has other, unwanted effects,
	 edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
	 is this really what is wanted?>
Expanding on this slightly, since I think this merits more discussion -- if there was widespread filtering of 53/udp packets to 512 bytes, I can see two consequences:

1. A temporary decrease in attack traffic: the malware authors will adapt, and the floods will continue except with smaller packets. For attacks launched from drones, the amplification arguably isn't as important to the attacker as it might be for attacks which have single sources.

2. In future, increased use of things like DNSSEC, dynamic updates and IPv6 (with attendant AAAA records) are going to make legitimate, EDNS0, large 53/udp packets more common, and crippling the transport for EDNS0 is going to cause migraines for helpdesks across the world.

As a temporary mitigation tool today, when the volume of legitimate, large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets might *sound* reasonable. However, we all know how permanent temporary filters can be. Crippling EDNS0 transport in the future seems like a very high price to pay for what might be a very temporary, short-term reduction in attack traffic.


Joe