On Mar 8, 2007, at 10:30 AM, Dean Anderson wrote:
3.1) draft-ietf-dnsop-reflectors-are-evil-03.txt
[Joao/Fred][10 min][17:50]
post WGLC discussion -- ready for the IESG?
This draft falsely claims that the amplification potential is
greatly reduced when authoritative servers are used:
DNS authoritative servers which do not provide recursion to clients
can also be used as amplifiers; however, the amplification potential
is greatly reduced when authoritative servers are used.
The amplification potential to authoritative servers is exactly the
same as for recursive servers, and the attack volume depends only
on the bandwidth available to the nameserver and the number of
queries sent. No evidence was given to show that there is any
difference between authoritative servers and recursive servers.
Scanning the internet for recursive nameservers is as difficult or
more difficult than scanning for authoritative nameservers for
large records. Further, no scanning is necessary at all if one
uses the root servers to conduct this attack, since the root
servers IP addresses are known, and there is no mitigation.
The higher gain attacks leverage a large RR not normally found in
most authoritative DNS. An exception might be wildcard RRs that do
not accommodate maximal label sizes. While indeed this may be the
case for many SPF RRs, the scripts contained in SPF actually
represent a far greater attack threat. These attack levels start at
the highest gain achieved by an open recursive DNS. SPF scripts
could be used to reference 10 additional SPF RRs, or hundreds of A
records when used in conjunction with spamming. The SPF related
attack does not not expend additional resources of the attacker
beyond the initial queries and can target any other victim as well.
This script may then repeat for every domain being validated, which
will soon include DKIM domains. Perhaps another draft should be
titled, SPF-scripts-are-evil. : o
Recursive servers can be easily located without any scanning and then
asked to obtain an answer referencing problematic RRs (which may be
poorly considered SPF RRs). Your point about scanning is misleading,
as there are many ways to determine their location. Preventing
access to recursive servers significantly reduces the possible
sources relied upon by a distributed mode of attack. Most mobile
users are granted both their IP address and DNS, where limiting
access will not represent any hardship. Those working on wireless
connections in a public setting might even consider tunneling their
DNS requests and endure added latencies over improved security.
-Doug
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
