North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS Amplification Attacks
Sean Donelan wrote:
Each of these is a sound suggestion, some are in debate. The main point is though that although spoofing is to blame for this latest attack *vector* and indeed is an hazard on the Internet with many other possible vectors, it is *not* to blame for this attack. _Not_alone_.This goes beyond an individual protocol such as DNS. You can generate blowback with many different protocols. Technology can take you only so far, you also have to address the human element too. 1. Bad guys 2. Compromised computers (a few are really "owned" by the bad guys too) 3. Spoofable source addresses (the bad guys "own" their own ISPs too) 4. Open reflectors without rate limits
Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world.
Fixing the one does not mean we shouldn't fix the other. Going after recursive servers is whack-a-mole all over again, going after how it all works and set may take a roll-back effect of a few years, but is worth it as a scalable solution.
One possible such solution is turning the default recursion "on" to "off".
As these things take time, starting is a good first step. :)
Attacks such as this one have been happening for a long time now, non of us should be surprised. Two new things in the *recent* attacks are:
1. Wide exploitation in the wild, which draws attention.
After all, until recently most active NANOGers saw no reason to
even work on fixing spoofing.
2. Abusing EDNS for a larger amplification factor.
Yes, smaller amplification factors work too and their rates can
be increased, but if you can send a whole lot more for less,
it's obviously more dangerous.
How many pings would you rather get back from a broadcast
address in a Smurf attack. 30 or 200?
The reason we released the text at this time (before we were ready, we were planning on making it academic-worthy) is that because of the lack of actual data out there and increasing FUD, we were encouraged to do so for the community.
That is why in the paper we cover events that happened to ISP's rather than just theoretical case studies.