On Tue, 2 Sep 2008, Danny McPherson wrote:
>
> On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote:
> >
> > I find this hard to believe from three standpoints:
> >
> > 1) the expected number of open DNS recursors and their collective
> > bandwidth doesn't seem to be large enough to support a 40Gbps attack.
>
> Really? With trivial amplification vectors 20 low-speed broadband
> connected bots can generate nearly 1.5 Gbps of attack traffic.
It isn't the case that many open recursors are on low-speed broadband
connections; That is a residential service, while recursors are usually
run by businesses or ISPs, which changes a number of things.
I also suppose you expect that 20 * 384kbps * 100x = 1.5Gbps.
(384kbs upload speed)
(100x amplification factor)
The error in your estimate is that you assume if there are bots to send
demand, that there are recursors to handle the load. This just isn't the
case.
The estimate is an ideal maximum, assuming a lot of things are true that
aren't true. For example, one never has ideal bandwidth available to any
host. And one must still have enough recursors to can handle the
offered load. But there aren't enough recursors to provide the load.
There are only about 20k or so recursors, and most don't sit on high
bandwidth connections. Many don't support EDNSO, so can't get more than
about 10x amplification, anyway.
Most businesses and ISPs would probably soon notice their participation
in a DDOS attack due to their own bandwidth consumption and block the
(spoofed) source address without damage as a result of the block, or an
upstream carrier would block the spoofed source, also without collateral
damage.
Furthermore, its relatively easy to change the IP address of a
recursor. Abusers need to keep scanning.
> So, that'd put you around 500 or so bots, and any number of open
> resolvers, to generate such an attack, which is low-hanging fruit
> these days.
Really? Recursors are "low hanging fruit'? By what measure?
> Of course, the reported amplification vector was higher
> than this, the number of bots lowers.
Higher than what? You can't get more than about 100x from DNS under
ideal conditions.
> > 2) Why would anyone capble of programming bother searching for open
> > recursors (with often small connection speeds) when they can use 100+
> > root servers with large amplification factors and high bandwidth
> > connections at key exchange points?
>
> We'll leave that an exercise for the reader...
Let's not, since its important to consider the alternatives available to
the attacker and the costs of this proposal. Significantly, the abuser
has an option that doesn't expose them to discovery by their scanning
efforts, and the other attack isn't very easy to mitigate. It doesn't
require the effort of scanning, or of distributing a payload of
recursors to the bots. Quite a lot easier to do. This seems to make the
other attack much more attractive. Something about low-hanging fruit???
> > 3) Why aren't these attacks being prosecuted? Someone searching for
> > open recursors is bound to be noticed. The only people I know of
> > searching for open recursors is UltraDNS and a scientific group at
> > Cornell.
>
> Searching for open recursors and launching an attack are
> two entirely different things.
Yes. One must precede the other. Scanning comes first. And abusers need
to keep scanning, which puts them at a disadvantage for this attack.
> And launching spoofed-based attacks makes finding the attacking
> sources more difficult. And given that they're most always botted,
> you then have to find a C&C, and then an attacker stepping stone,
> etc.., etc., No need for rehashes of this here, methinks.
Finding the C&C for a botnet that must keep scanning to conduct abuse
should be easier than for a botnet that doesn't need to scan. You find
the person scanning and you found the person involved in the C&C.
Also, one doesn't need to find the attacking source with recursor abuse.
Its a very mitigatable attack. Just like open proxy abuse, one can
usually block the recursor without collateral damage.
Significantly, one can't easily mitigate the other attack (ala DNSSEC
responses) of roots, TLDs, major domain's authority servers. Blocking
authority servers generally does significant damage; roots, TLDs, major
domains in particular can't be blocked.
> > I'll wait to see the report. It will also be interesting to find out
> > who was surveyed. If it turns out to be primarilly NANOG (the source
> > of
> > the original reports), I'll be more dubious.
>
> No, there's quite a wide distribution of responses, but mostly
> *OG types in various regions.
Ahh. Figured as much.
> > Mr. McPherson is
> > associated with NANOG, attending 18 meeting as of NANOG 42; Only 46
> > people have attended more NANOG meetings than Mr. McPherson.
>
> Interesting tidbit, I had no idea. Useless, but interesting :-)
Useless to you perhaps. Not so useless to everyone. But its interesting
that you aren't concerned by the association with the other improper
activities. I guess you know about those, so it comes as no surprise.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
