There is nothing in Joe's assertions that wasn't refuted in May. So, at
the risk of repeating the discussion from May, here is a version-02
specific version:
On Mon, 2 Oct 2006, Joe Abley wrote:
> On 2-Oct-2006, at 17:38, Dean Anderson wrote:
>
> > I've read the draft. It still asserts that __somehow__ the
> > amplification potential of authoritative servers is greatly reduced in
> > comparison with recursive servers.
>
> The opportunity to do evil is greatly reduced if attackers are forced
> to exploit either authority servers or private recursive servers.
>
> If authority servers are used, finding a large number of authority
> servers which contain records that provide the required amplification
> is harder than finding a large number of open recursive servers.
I think not. Finding authority servers for large in-addr responses is
just a walk of the in-addr.arpa. One can get forward zones from a
variety of places to find large SPF, DNSSEC or TXT records.
Furthermore, the search for such records is completely innocent, while
the search for open recursors is suspicious. [one can put up traps for
the latter search]
Private internal recursors are found by a call to the ISP support line.
Which ISP to call depend only on the target, and are easily found
through routeviews and whois and web pages. This question will be
happily answered by first level support. It may even be available on the
ISP web site.
By contrast, to find open recursors, you usually need to walk all of IP,
though you could still walk in-addr and the forward zones as before, but
searching for open recursors will leave log entries that tend to
identify the searcher. By contrast, querying in-addr records or SPF
records from authority servers is entirely innocent.
Open recursors that aren't also authority servers are very difficult to
find. One needs to walk all of IP to see if port 53 responds. That kind
of search will be noticed by somebody. Ask the open relay scanners.
> Using such servers will also involve sending a different query to each
> server in order to exploit the particular (QNAME, QTYPE) tuple which
> provides the required amplification, which means a single botnet with
> a single set of marching orders can't be used to originate the query
> traffic, thus increasing the logistical difficulty in launching the
> attack.
As previously described in May, a botnet can easily handle the marching
orders necessary. The amplification is dependent only on the number of
queries sent. A list of 25, 100, 200, 25000,+++ tuples is easily within
the payload of a modern botnet. One might not even need very many
tuples. A single, high bandwidth server might be sufficient. Try
blocking all of say, MSN's nameservers or the nameservers of some other
top bandwidth domain. [BTW, DNS Anycast makes this attack worse, too,
but I already previously pointed that out in May. I see this too, was
ignored, in draft 02.]
> If private recursive servers are used then in order to gain
> amplification comparable with the attacks which exploit open servers
> the target must be within the corresponding private domain of the
> recursive server. Since it's rare for more than a small handful of
> private recursive servers to serve a single private subset of the
> Internet, this reduces the potential number of sources of attack
> traffic to a number which can probably be dealt with (and which are
> probably also operated by the same set of technicians).
Every ISP has 'private' recusors. Those recursors are more "deadly" to
that ISPs customers for two reasons: The customer can't easily block the
traffic, and that server has more bandwidth to the customer than, say,
some open recursor half way around the world.
> The opportunity to launch a reflection attack of the type described in
> the draft is greatly reduced if no open recursive nameservers are
> available.
This is mantra. Repeating it does not make it true. I suppose, as was
the case with the open relay experience, the mantra will grow more
insistent, but no more true. As Gauss said, 'fear the howls of the
boeotians.'
The opportunity to launch a reflection attack is the same for all types.
Every server that has a large record offers an opportunity for
reflection attack. The mitigation is close to zero for authority
servers and private recurors. The game-theory choice for the bad guy is
easy: pick the target ISP private recursor or search the authority
servers for large records. Choosing ordinary open recursors is a
distant third because of the added risk of discovery and the mitigation
options at the target.
And finally, a public or private recursor needs a large record to start
the attack. That record is best obtained from a legitimate authority
record. But that authority server, once found, can be directly used for
the attack if it has sufficient bandwidth. That authority server won't
be able to stop the attack except by removing the legitimately large
record, or by blocking incoming DNS queries. Neither option is going to
be palatable for, say MSN or Some Large Domain(SLD). Probably, they
won't do it if the record is important to them.
Strangely, the existing attacks that I know of from the Nanog thread,
started by using a cracked server to create an 8Kb TXT record for the
attack. This crack is the hardest part of the attack, and it leaves a
huge forensic trail, and is completely unnecessary to conduct the
attack. The attackers in that case were very stupid, and hadn't really
thought through the attack. Almost exactly the same analytical behavior
of another group of miscreants. One wonders if it could be the same
group.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
