[88942] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Sat Feb 25 03:41:38 2006
Date: Sat, 25 Feb 2006 08:41:01 +0000
From: bmanning@vacation.karoshi.com
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg>
Errors-To: owner-nanog@merit.edu
> ] other cctld servers have seen what are effectively ddos. rob thomas
> ] seems to have the most clue on this, so i hope this troll will entice
> ] him to speak.
>
> Did someone say "troll?" :)
>
> Yes, this is a real problem. These attacks have exceeded several
> gigabits per second in size, and during one attack 122K DNS name
> servers were abused as amplifiers. Ouch!
>
> This abuse can be mitigated. Here are a few tips.
<there has -GOT- to be a better name for this>
> Limit recursion to trusted netblocks and customers. Do not permit
> your name servers to provide recursion for the world. If you do,
> you will contribute to one of these attacks.
<recursion is a fundamental DNS design feature,
restricting it to "walled gardens" cripples its usefullness>
> Watch for queries to your name servers that ask for "ANY" related
> to a DNS RR outside of the zones for which you are authoritative.
> This DNS RR will be LARGE.
<a valid concern, w/ the following caveat: LARGE, relative
to current traffic>
> Limit UDP queries to 512 bytes. This greatly decreases the
> amplification affect, though it doesn't stop it.
<limiting UDP to 512 has other, unwanted effects,
edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
is this really what is wanted?>
> Scan your IP space for name servers that permit recursive queries.
> It's amazing just how many of these name servers exist.
<yup... again, a feature that has made the DNS as useful as
it has become>
>
> Refer to the following guides for some excellent insight and
> suggestions.
>
> <http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf>
> <http://cc.uoregon.edu/cnews/winter2006/recursive.htm>
> <http://dns.measurement-factory.com/surveys/sum1.html>
>
> Note we have our own Secure BIND Template which will help on the
> BIND side of life.
>
> <http://www.cymru.com/Documents/secure-bind-template.html>
>
> If you need assistance with any of this, have endured one of these
> attacks, or have any other questions, please don't hesitate to ping
> on us at team-cymru@cymru.com. We're here to assist!
>
> Thanks!
> Rob.
> --
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);
ok, so i'm being a bit of a curmudgion here but just how,
if we throttle DNS to the minimum suite for todays services,
can we be expected to add new features/services? grump grump grump...
-- (grumpy) bill