Hi Libor, Your subject line hints at a proposal, but I can't parse one in your email.
Regardless, yes, protocol anti-DoS mechanisms rely on the server having as much capacity as the client. If this is not the case, the attacker can always overwhelm the server by simply completing legitimate transactions at scale. The Retry token is the proof-of-work you're hinting at. If you don't want the latency associated with that, I encourage you to implement a more selective rule on when you send Retry (e.g. only when the server is under high load, or from specific IP addresses). Martin On Fri, Sep 2, 2022 at 12:00 AM libor.peltan <libor.peltan= [email protected]> wrote: > Hi all, > > I'm developing DNS-over-QUIC implementation in authoritative Knot DNS. > I'm highly concerned about DoS resistance. According to our findings so > far, the situation around authoritative DNS-over-QUIC (ADoQ) is following: > > - The server can try to defend by requiring Retry packet, which > prevents source address spoofing and too simple Initial packet floods, > but also cripples legitimate connections by an additional RTT for the > whole duration of attack (possibly all the time). > > - A determined attacker can simply proceed with complete connections, > including Retry packets. We have developed even the tools to perform > such attacks. > > - Opposed to plain DNS, the bottleneck is no longer any connection > bandwidth. When both sides encrypt and decrypt all the packets, what > matters is the CPU power. > > - QUIC protocol seems to be balanced in the way that it gives no > advantage to client or server side. If (and only if) the attacker has > more CPU power available, it's able to exhaust the server computing > resources, leading to DoS. > > I must admit I'm a "DNS guy" and I might have imperfect insight in QUIC > nuances. Is there any tactic that would help defend the server against > DoS? I always think that HTTP-over-QUIC servers must face the same > issues. But it's also possible that they just rely on CDNs and stuff, > which is not really appliable on common authoritative DNS. > > I looked also at Retry packet offload, but this does not make much sense > for ADoQ. > > Thank you for any replies, suggestions and ideas! > > Libor > > >
