North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Amplification Attacks

  • From: Gadi Evron
  • Date: Mon Mar 20 16:02:16 2006

Sean Donelan wrote:
This goes beyond an individual protocol such as DNS.  You can generate
blowback with many different protocols.  Technology can take you only
so far, you also have to address the human element too.

1. Bad guys
2. Compromised computers (a few are really "owned" by the bad guys too)
3. Spoofable source addresses (the bad guys "own" their own ISPs too)
4. Open reflectors without rate limits
Each of these is a sound suggestion, some are in debate. The main point is though that although spoofing is to blame for this latest attack *vector* and indeed is an hazard on the Internet with many other possible vectors, it is *not* to blame for this attack. _Not_alone_.

Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world.

Fixing the one does not mean we shouldn't fix the other. Going after recursive servers is whack-a-mole all over again, going after how it all works and set may take a roll-back effect of a few years, but is worth it as a scalable solution.
One possible such solution is turning the default recursion "on" to "off".

As these things take time, starting is a good first step. :)

Attacks such as this one have been happening for a long time now, non of us should be surprised. Two new things in the *recent* attacks are:

1. Wide exploitation in the wild, which draws attention.

After all, until recently most active NANOGers saw no reason to
even work on fixing spoofing.

2. Abusing EDNS for a larger amplification factor.

Yes, smaller amplification factors work too and their rates can
be increased, but if you can send a whole lot more for less,
it's obviously more dangerous.

How many pings would you rather get back from a broadcast
address in a Smurf attack. 30 or 200?

The reason we released the text at this time (before we were ready, we were planning on making it academic-worthy) is that because of the lack of actual data out there and increasing FUD, we were encouraged to do so for the community.

That is why in the paper we cover events that happened to ISP's rather than just theoretical case studies.