Re: Great Suggestion for the DNS problem...?

• From: Joe Greco
• Date: Mon Jul 28 15:31:31 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

> [ unthreaded to encourage discussion ]
> 
> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
> > Nameservers could incorporate poison detection...
> >
> > Listen on 200 random fake ports (in addition to the true query ports);
> > if a response ever arrives at a fake port, then it must be an attack,
> > read the "identified" attack packet, log the attack event, mark the
> > RRs mentioned in the packet as "poison being attempted" for 6 hours;
> > for such domains always request and collect _two_ good responses
> > (instead of one), with a 60 second timeout, before caching a lookup.
> >
> > The attacker must now guess nearly 64-bits in a short amount of time,
> > to be successful. Once a good lookup is received, discard the normal
> > TTL and hold the good answer cached and immutable, for 6 hours (_then_
> > start decreasing the TTL normally).
> 
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea?  Or at least, something inspired by it?

There's a ton of stuff that you can do, I talked a bit about this kind of
solution several days ago, see <[email protected]>. 
The problem is mainly that this is reactive, and primarily applicable to 
this attack because it's a brute-force.  The next attack might be more
elegant.  Designing in this sort of "protection" is good AND bad, because
on one hand, you do mostly solve the problem, and that's good, but you
also encourage people to think of the problem as "fixed" or "my server
is not vulnerable," when the only real way to protect against the *next*
attack is to make sure that the data is valid, so that's DNSSEC.

There are actually more specifically useful things that you can do to
mitigate particular aspects of this attack, except that talking about
them will also point to some risks that I don't believe have been made
public, and I'm going to do my part to keep it that way, at least for a
bit longer.

The short form, though, is that if you sit there and try to manufacture
artificial protection against each new attack as it develops, you will
end up with this Rube Goldberg contraption to protect your nameserver
from various attacks, and who knows what will break it.  View these as
very short-term fixes, rather than a correction of the underlying issue.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

• References:
  • Great Suggestion for the DNS problem...? Jay R. Ashworth

• Prev by Date: Re: Great Suggestion for the DNS problem...?
• Next by Date: Re: Software router state of the art
• Date Index
• Thread Index
• Author Index
• Historical