North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DNS DDoS [was: down sev0?]

  • From: Patrick W. Gilmore
  • Date: Thu Oct 26 11:23:29 2006

On Oct 26, 2006, at 1:31 AM, [email protected] wrote:

It is essentially impossible to distinguish end-user requests from
(im)properly created DoS packets (especially until BCP38 is widely
adopted - i.e. probably never). Since there is no single place - no 13
places - which can withstand a well crafted DoS, you are guaranteed that
some users will not be able to reach any of your listed authorities.
Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war
between worm writers (to generate queries indistinguishable from real
client-resolver-generated queries) and trying-to-detect-malformed- queries
(such as duplicated qid, or from IP space that shouldn't be hitting this
specific node). You probably dealt with more ddos than rest of us
combined, so I bow to your superior knowledge.
First, thanx for the nod, but there are some here who have dealt with more than I have. But I think I've seen enough to know something about it.

You can try things like "filter IP addresses which should not be going to node X", but what happens if the DDoS changes the network topology enough that you can't be certain users are going where you did not? If the DDoS is large, this is pretty much guaranteed.

Worse, suppose the topology changes for reasons unrelated to a DDoS. You could end up DoS'ing end users without an attack! (You could theoretically only put the filters in place when an attack is happening, but that has other problems - which may or may not be worse.)

Filtering on things like duplicated query IDs is not possible on router hardware doing 10s of Gbps or millions of PPS. And doing it on the server is not useful if there are more bits / pps than the router can process. Remember, servers can't answer packets that are dropped before they get to the servers.

Etc., etc., etc.

Overall, we are losing the war. What good providers, like the roots, Ultra, etc., do is to minimize the effect of any attack. If a "miscreant" fires the "DDoS of biblical proportions" and only 5% of users are affected, I consider that a success. Unfortunately, those 5% don't think so, but one can only do what one can do. Besides, if it truly is an attack of biblical proportion, those 5% are probably having much larger problems than name resolution.

Couple other comments:

From all indications I've seen (and most are not authoritative, but it's all the info I have), this was not a DDoS of "biblical proportions". There were no whole networks to go offline, there were no massive swaths of address space flapping, there were no entire peering points being congested, etc. A few Gbps does not count as "biblical" any more.

Whether this attack used spoof-source or not, BCP38 is _VITAL_, IMHO, to helping curb these things. It guarantees, at the very least, that you know where the attack is sourced. Filtering become much easier. Reaching the right operators to help with the problem becomes orders of magnitude easier. And if the miscreants just start using BotNets with real IP address, GOOD. It's not the End All Be All answer, but it is a _huge_ step in the right direction.

Unfortunately, as Jared has pointed out, the equipment vendors have to help the operators support this. So let's all call your favorite router vendor and ask them when they will have the "ip bcp38" config option. :)