[88961] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Joe Abley)
Sun Feb 26 12:03:06 2006
In-Reply-To: <20060225084101.GD12328@vacation.karoshi.com.>
Cc: Rob Thomas <robt@cymru.com>, NANOG <nanog@merit.edu>
From: Joe Abley <jabley@isc.org>
Date: Sun, 26 Feb 2006 12:02:38 -0500
To: bmanning@vacation.karoshi.com
Errors-To: owner-nanog@merit.edu
On 25-Feb-2006, at 03:41, bmanning@vacation.karoshi.com wrote:
>> Limit UDP queries to 512 bytes. This greatly decreases the
>> amplification affect, though it doesn't stop it.
>
> <limiting UDP to 512 has other, unwanted effects,
> edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
> is this really what is wanted?>
Expanding on this slightly, since I think this merits more discussion
-- if there was widespread filtering of 53/udp packets to 512 bytes,
I can see two consequences:
1. A temporary decrease in attack traffic: the malware authors will
adapt, and the floods will continue except with smaller packets. For
attacks launched from drones, the amplification arguably isn't as
important to the attacker as it might be for attacks which have
single sources.
2. In future, increased use of things like DNSSEC, dynamic updates
and IPv6 (with attendant AAAA records) are going to make legitimate,
EDNS0, large 53/udp packets more common, and crippling the transport
for EDNS0 is going to cause migraines for helpdesks across the world.
As a temporary mitigation tool today, when the volume of legitimate,
large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets
might *sound* reasonable. However, we all know how permanent
temporary filters can be. Crippling EDNS0 transport in the future
seems like a very high price to pay for what might be a very
temporary, short-term reduction in attack traffic.
Joe
