[111068] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (David Andersen)
Tue Jan 27 22:47:05 2009
From: David Andersen <dga@cs.cmu.edu>
To: Paul Vixie <vixie@isc.org>
In-Reply-To: <g31vuot8t1.fsf@nsa.vix.com>
Date: Tue, 27 Jan 2009 22:46:35 -0500
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-150--743358082
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
On Jan 27, 2009, at 10:21 PM, Paul Vixie wrote:
>>
> (looking for ". IN NS" as the q-tuple pattern is not a solution,
> since the
> bad guys can pretty trivially change the question they ask into one
> you're
> willing to answer.)
Actually, ". IN NS" is a particularly useful thing for them to do,
because it's an almost globally guaranteed response that will get a
large response and be in cache. One can get similar effects with
"<tld>. IN NS", of course, but the set of things that work well for
such an attack are relatively limited.
One thing that's fairly straightforward with the current attack is to
block
00600 deny udp from 66.230.160.1 to me 53 iplen 45
(foreach victim host)
(If you tcpdump the traffic, because of the . IN NS, the packets are
all the same length - 45 IP bytes.) Very easy to filter at the
current time with almost no collateral damage.
I realize this is just a cat-and-mouse game, but forcing the attacker
to use larger query packets that have smaller cached replies isn't a
bad thing.
". NS" -> 45 byte query, 245 byte response
"COM. NS" -> 48 byte query, 245 byte response
"NET. NS" -> 242 byte response,
"ORG. NS" -> 159 byte response,
This masking is mostly effective for people whose nameservers are set
to deny recursive but are still serving from cache. YMMV.
-Dave
--Apple-Mail-150--743358082
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkl/1RsACgkQLZyskygNjpwuZwCdHVMNUrLOA9KWWmU1xaCHNTA3
6ncAoIcCLeJwVrH4OKrSx7AO0utYKH3w
=rTkD
-----END PGP SIGNATURE-----
--Apple-Mail-150--743358082--
