Re: DNS Amplification Attacks... and a trivial proposal

[Phil Mayers]

On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:


1)  If everyone on the planet were to somehow magically and immediately be
converted over to DNSSEC tomorrow, then would DNS amplification attacks
become a thing of the past, starting tomorrow?  Does DNSSEC solve the
DNS amplification attack problem?  Or does it have no direct bearing on


No, quite the opposite in fact. By increasing the size of responses, 
DNSSEC arguably makes the amplification problem (slightly) worse.


DNSSEC is a good thing and necessary for other reasons, but it does not 
help amplification attacks.



2)  Has anyone ever proposed adding to the DNS protocol something vaguely
reminicent of the old ICMP Source Quench?  If so, what became of that
proposal?


snip


Basically, the whole idea is just simply to allow a victim to switch to
safe TCP only mode with all of the intermediaries that are participating


The problem with that idea is that it needs software updates on both the 
reflecting DNS server and the victim. It also seems to require keeping a 
lot of soft state in the endpoints.


Altogether, it seems easier for everyone to just apply RRL patches, do 
BCP38 and de-peer with people who don't do BCP38.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[David Miller]

On 06/13/2013 05:33 AM, Phil Mayers wrote:
 On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:

 1)  If everyone on the planet were to somehow magically and
 immediately be
 converted over to DNSSEC tomorrow, then would DNS amplification attacks
 become a thing of the past, starting tomorrow?  Does DNSSEC solve the
 DNS amplification attack problem?  Or does it have no direct bearing on

 No, quite the opposite in fact. By increasing the size of responses,
 DNSSEC arguably makes the amplification problem (slightly) worse.

slightly is generous.  I would say dramatically.

$ dig mx isc.org @ord.sns-pb.isc.org +noall +stats +nodnssec

;  DiG 9.9.2-P1  mx isc.org @ord.sns-pb.isc.org +noall +stats
+nodnssec
;; global options: +cmd
;; Query time: 223 msec
;; SERVER: 199.6.0.30#53(199.6.0.30)
;; WHEN: Thu Jun 13 11:28:49 2013
;; MSG SIZE  rcvd: 403


$ dig mx isc.org @ord.sns-pb.isc.org +noall +stats +dnssec

;  DiG 9.9.2-P1  mx isc.org @ord.sns-pb.isc.org +noall +stats
+dnssec
;; global options: +cmd
;; Query time: 242 msec
;; SERVER: 199.6.0.30#53(199.6.0.30)
;; WHEN: Thu Jun 13 11:28:54 2013
;; MSG SIZE  rcvd: 2427


DNS reflection attacks are all about amplification (a small request
resulting in a response larger than the request).  A 6 times greater
response size is a large jump in amplification.


 DNSSEC is a good thing and necessary for other reasons, but it does
 not help amplification attacks.

+1


 2)  Has anyone ever proposed adding to the DNS protocol something
 vaguely
 reminicent of the old ICMP Source Quench?  If so, what became of that
 proposal?

 snip

 Basically, the whole idea is just simply to allow a victim to switch to
 safe TCP only mode with all of the intermediaries that are
 participating

 The problem with that idea is that it needs software updates on both
 the reflecting DNS server and the victim. It also seems to require
 keeping a lot of soft state in the endpoints.

This would require both software updates and an update to the DNS protocol.

This idea does require state at the endpoints.  We seem to have already
lost that battle - example RRL.  Would this require more state at the
endpoints than RRL?  I think that this probably would require more state.

One concern I have is that it turns the problem on its head and now the
network that is the target of the attack is required to get packets out
through their loaded equipment to stop the attack.

This could lead to wrong headed statements like, Yes, we sent X GB of
traffic at your network.  You didn't implement DNS source quench?  You
should have.

The chain of responsibility for these attacks is:
1. The person(s) originating the spoofed traffic.
2. The network(s) allowing the origination of spoofed traffic.
3. The network(s) transmitting the spoofed traffic.
4. The operators of nodes amplifying the traffic towards the victim.
5. The victim.

A system that requires the victim to take action to stop attacks might
be misconstrued by some to be abdicating the responsibility of the upper
four levels.


 Altogether, it seems easier for everyone to just apply RRL patches, do
 BCP38 and de-peer with people who don't do BCP38.

Agreed.  Close all open resolvers as well.

Using this strategy, however, you will have to do an awful lot of
de-peering.

-DMM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Vernon Schryver]

 From: David Miller dmil...@tiggee.com

  Basically, the whole idea is just simply to allow a victim to switch to
  safe TCP only mode with all of the intermediaries that are
  participating
 
  The problem with that idea is that it needs software updates on both
  the reflecting DNS server and the victim. It also seems to require
  keeping a lot of soft state in the endpoints.

 This would require both software updates and an update to the DNS protocol.

 This idea does require state at the endpoints.  We seem to have already
 lost that battle - example RRL.  Would this require more state at the
 endpoints than RRL?  I think that this probably would require more state.

I think that the use of RRL on some roots shows that keeping state
is not a problem if the state keeping is not utterly stupid.

DNS cookies could do something similar but better than that safe
TCP only mode idea.  Unfamiliar (no cookie) DNS clients that show
some (or no) sign of badness could be sent to TCP, could be given
lower rate limits, ignored entirely (dropped), or whatever makes
sense at the server.  The state could be kept only on DNS clients
and could be fewer and smaller than the state needed for RRL.  See
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03

DNS cookies suffer less from the update-the-world problem, because
they are optional.


  Altogether, it seems easier for everyone to just apply RRL patches, do
  BCP38 and de-peer with people who don't do BCP38.

 Agreed.  Close all open resolvers as well.

me too.

Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps1
at reflectors) are hard even to detect except at the victim.

I hope eventually to release BIND patches that add RPZ client IP
address triggers and drop and TCP-only policies.  See
https://www.google.com/search?q=dns+rpz
An RPZ zone of client IP address triggers of victim IP addresses and
TCP-only policies, maintained by victim requests and certain other
mechanisms could let participating DNS servers mitigate even extremely
distributed reflection attacks.

If there were an RPZ zone of client IP address triggers of open resolvers
used in attacks and if that zone were used at many authoritative DNS
servers, then users of those open resolvers would be inconvenienced
and might pressure open resolver operators to act.

The problem with those RPZ ideas is recruiting DNS server participants.
That is similar to the problem of recruitng SMTP servers to use anti-spam
DNSBLs, but worse because these ideas help victims instead of participants.
It might be helped by including anti-reflection rules in other RPZ
products.

The RPZ TCP-only policy might be used in private kludges.  Consider
these rules in the external view on an open resolver:
 *. CNAME tpc-only-rpz.
 *.mydomain CNAME passthru.rpz.
Like RRL, such ideas not as good as closing the resolver, but less
bad than leaving it unprotected.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What happens when one out of three NSs are down?

[Lawrence K. Chen, P.Eng.]

- Original Message -
 
  Any comments and best practice solution info very welcome.
 
 Folks with significant requirements with regard to high availability
 are likely to put a hardware loadbalancer running a VIP which
 receives DNS requests and balances it onto a pool of reals (aka the
 boxes running nameservers), including liveness checks so the LB will
 transparently migrate around a nameserver which is down.
 
 

Speaking of using a load balancerI have wondered about putting our BigIP in 
front of our authoritative only nameservers, hadn't thought about doing it for 
HA.  But whether it would help against DDos?  I know there's a 
DNSFloodProtection iRule, and wonder if the BigIP does any protection of its 
own (or is it just the SYN flood DDoS that it does).  Though I recall that they 
had published that GTM v11 has DNS DDoS protections, but our current platform 
is limited to 10.2.4 and we only have LTM.

Though if I did put the BigIP in front, would the DDoS traffic towards the 
nameserver VIPs, impact other services on the BigIP?

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) --  SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 51b991f7.9070...@imperial.ac.uk, 
Phil Mayers p.may...@imperial.ac.uk wrote:

On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
 2)  Has anyone ever proposed adding to the DNS protocol something vaguely
 reminicent of the old ICMP Source Quench?  If so, what became of that
 proposal?
...
 Basically, the whole idea is just simply to allow a victim to switch to
 safe TCP only mode with all of the intermediaries that are participating

The problem with that idea is that it needs software updates on both the 
reflecting DNS server and the victim.

Yes.

Is there _any_ even remotely viable proposal for ridding the world of these
damn DDoS amplification attacks that _doesn't_ require either software
updates or worse, hardware updates?

The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?  The introduction of that change also needed software
updates on both the sending and receiving side.  (That was accomplished
it seems.)  Should anyone be in the lest bit surprised to learn that a
widespread software update might be necessary in order to counteract the
clear (and for some people/sites/companies, catastrophic) effect of an
earilier software update?

It also seems to require keeping a lot of soft state in the endpoints.

Please define a lot.

You and I apparently have differing definitions of that term.


Regards,
rfg

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Doug Barton]

On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote:

The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?


No. You can still get pretty good amplification with 512 byte responses.

There are 2 causes of this problem, lack of BCP 38, and improperly 
secured (read, open) resolvers. The first requires operator education, 
and in a non-trivial number of cases requires operators to act against 
their own interests. Thus, the problem remains unsolved 13 years later. 
The latter problem also requires operator education, but is more likely 
to be solvable.


There is no quick fix.

Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 51b9fb6a.1090...@tiggee.com,
David Miller dmil...@tiggee.com wrote:

This could lead to wrong headed statements like, Yes, we sent X GB of
traffic at your network.

Yes.

Last night I reconsidered at some length the scheme I put forward yesterday.
(Please note that I am very deliberately calling it merely a scheme
rather than a proposal, because I do not think that it rises to the
level of that honorable title yet.)

Basically, please ignore everything I put forward yesterday and substitute
instead the following in place of all that...

1)  A new DNS/UDP packet/message type is defined.  This new message
when sent from from machine A to machine B informs B that A would
really really appreciate it if B would cease and desist from sending
anything other than HIGHLY ABBREVIATED (12 byte) UDP DNS response
packets to the IP address of A for a period of 30 seconds.  (Said
highly abbreviated DNS/UDP response packets would all have the TC
bit set.)

In a hypothetical revised future DNS RFC it would be said that all
DNS servers attached to the public internet MUST be capable of
properly receiving, decoding and obeying any and all such client
requests.

2)  A new DNS/TCP packet/message/interaction is defined.  A given machine
at IP address `A' (which may or may not even be a DNS server or
client) may connect to a DNS server at IP address `B' and may
execute a transaction with `B' which requests that the DNS server
running on `B' should refrain from sending any DNS/UDP response
packets to `A' for a period of time encoded within the interaction.

Again, hypothetically, in future this would be a MUST.

In its response to A's request, B would include the number of seconds
since the last time that B received a DNS query *via UDP* that was
ostensibly from A.

The first provision above is the fast-reaction emergency stop-gap.  It can
be sent out even when the DDoS target is already undergoing/experiencing a
massive packet inflow.  (It _is_ only one small _outgoing_ packet after all,
so the DDoS victim should, be able to squeeze that out, I think.  After all
is is only the inbound side of the connection that is getting DDoS'd.)

The second provision above is what you do after you have sent the emergency
stop-gap panic button UDP Stop killing me! packet/request.  By this
time, things will have hopefully settled down a bit, at least enough for
the victim to be able to complete a three-step TCP handshake _and_ get a
single small additional payload packet out via the TCP connection.

As mentioned in my previous scheme, the information that comes back from
B (i.e. one of the unwitting DNS servers that are participating as
amplifying intermediaries in the attack) regarding the amount of time
that has elapsed since _it_ last received an attack packet (i.e. any
spoofed DNS query appearing to have come from A) will help A decide
when the time is ripe for it,the victim, machine, to come out of the
bunker and crawl back into the sunlight.

Note that _by definition_ exactly and only any *UDP* DNS query packet that
B has received since A told it... via secure TCP connection... that it
would stop sending any DNS queries to B via UDP for awhile... and that
thus, B should stop sending any DNS/UDP _responses_ to A for that same
awhile... are, by definition, forged/spoofed DNS queries.  So each time
any participating intermediary DNS server `B' receives a DNS/UDP query,
it should merely look to see if the apparent source IP `A' is currently
present in the  (hopefully VERY small) list of IPs that B is currently
in safe interaction mode with, and if B finds A's IP in that VERY
small list, then it merely grabs the current system second-since-epoch
clock value an then uses that to update the most_recent_spoof_time field
of the trivially simple two-word (64 bit) record corresponding to that
specific current safe mode client, `A'.  Only two 32-bit words should
be needed for each (IPv4) safe mode client that has properly requested
a switch to safe mode from B, i.e. (1) A's 32-bit IPv4 address and (2)
the 32-bit most_recent_spoof_time field.

Trivial, no?

Yea, yea.  OK... so yes, those records have to be bigger than 64-bits in
cases where the specific safe-mode client is speaking IPv6.  No biggie.
Let's not get bogged down in quibbling about minor and inconsequential
trivialities.

Regards,
rfg


P.S.  I envision the new packet types for (1) above could be defined as
simply as possible, so that even things other than (and simpler than)
full-blown DNS servers could send them... maybe even... um... routers.

Twelve bytes of all zeros ought to do it.  (Can't get much simpler than
that!)  Unless I am mistaken, that ought to be entire orthogonal to any
and all actual/ordinary DNS packets, at least at present.

P.P.S.  Yes, yes, I _am_ aware... as someone will surely point out...
that 

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?

No, that just makes it a little easier.  You pound the patoot out of
someone with 512 byte packets just as much as you can with 4K packets,
just by making your attacking botnet bigger.

The real solution is BCP 38, to keep spoofed packets out of the
network in the first place.  With widely implemented BCP 38, open
resolvers wouldn't matter since you could only DoS yourself, or at
worst someone else on your own network segment.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Sten Carlsen]

Just a thought, below:
On 14/06/13 2:41, Ronald F. Guilmette wrote:
 In message 51b9fb6a.1090...@tiggee.com,
 David Miller dmil...@tiggee.com wrote:

 This could lead to wrong headed statements like, Yes, we sent X GB of
 traffic at your network.
 Yes.

 Last night I reconsidered at some length the scheme I put forward yesterday.
 (Please note that I am very deliberately calling it merely a scheme
 rather than a proposal, because I do not think that it rises to the
 level of that honorable title yet.)

 Basically, please ignore everything I put forward yesterday and substitute
 instead the following in place of all that...

 1)  A new DNS/UDP packet/message type is defined.  This new message
   when sent from from machine A to machine B informs B that A would
   really really appreciate it if B would cease and desist from sending
   anything other than HIGHLY ABBREVIATED (12 byte) UDP DNS response
   packets to the IP address of A for a period of 30 seconds.  (Said
   highly abbreviated DNS/UDP response packets would all have the TC
   bit set.)

   In a hypothetical revised future DNS RFC it would be said that all
   DNS servers attached to the public internet MUST be capable of
   properly receiving, decoding and obeying any and all such client
   requests.

I wonder what DNS-servers running older versions of the SW will respond
to that? If they silently discard the packet, no problem. If however
they respond with refused or anything else, you create your own storm.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   MALE BOVINE MANURE!!!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 201306131753.r5dhrwon093...@calcite.rhyolite.com, 
Vernon Schryver v...@rhyolite.com wrote:

I think that the use of RRL on some roots shows that keeping state
is not a problem if the state keeping is not utterly stupid.

(I'm not sure what, if anything, I should be reading into that last bit
of a phraseology.  Oh well.  No matter.)

DNS cookies could do something similar but better than that safe
TCP only mode idea.

I will definitely need to bone up on that.

Unfamiliar (no cookie) DNS clients that show
some (or no) sign of badness could be sent to TCP, could be given
lower rate limits, ignored entirely (dropped), or whatever makes
sense at the server.

At which server?  The numerous DDoS-participating individual intermediaries?
Or the (singular) DDoS victim?

Assuming you are referring to the former, allow me just to offer the
observation that if history teaches us anything it is that anything that
needs to be... or that is even allowed to be... individually configured
by innumerable individual server administrators will inevitably never
work, in practice, to solve any actual real-world problem, because as
surely as night follows day, at least 33% of all of the world's sever
administrators, if given a knob or a dial to twist, will fuck it up
in some way that makes it ineffective for its original or intended
purpose.

If the world's population of server administrators can be counted on
to Do The Right Thing (when given some simple and straightforward
configuration choice), then why are there still in excess of 27 million
open resolvers on the Internet?

(In short there is only one question you need to ask yourself... Do I
feel lucky? :-)

The advantage of the scheme I put forward is that there is -zero- con-
figuration either required or allowed.  Over time, people installing the
latest version of BIND or their favorite DNS server... just as a matter
of standard procedure, and just to stay current on security fixes...
would get built-in support for the new anti-DDoS quench protocol
and would _not_ be offered any ludicrous (and to most, confusing) con-
figuration choices like:  Do you want to enable to the new anti-DDoS
protocol?  Or would you prefer to continue to be an anti-social asshole?
(I think most here would be surprised to learn how many server admini-
strators, worldwide, would choose option B, if offered that exact choice,
even if phrased in that exact way.  Or as P.T. Barnum is alleged to have
once said Nobody ever lost a dime underestimating the intelligence of
the public at large.)

Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps1
at reflectors) are hard even to detect except at the victim.

Bingo.

The problem with those RPZ ideas is recruiting DNS server participants.
That is similar to the problem of recruitng SMTP servers to use anti-spam
DNSBLs, but worse because these ideas help victims instead of participants.

Yes.

See above regarding configuration choices.


Regards,
rfg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Vernon Schryver]

 From: John Levine jo...@iecc.com

 The real solution is BCP 38, to keep spoofed packets out of the
 network in the first place. 

Indeed.   As many have mentioned, DNS reflection attacks are merely
the current fad, driven partly by 10X or higher amplification
(50 byte queries, 500 byte responses) and partly by the lemming
syndrome of any fad.

There are have been, are, and will be many other protocols used 
in reflection attacks until BCP 38 is the de facto standard.
Smurf was an old example
https://www.google.com/search?q=smurf+reflection+attack
See also ntp  https://www.google.com/search?q=ntp+reflection+attack
Chargen is another one from the ancient suite of of the small services
https://www.google.com/search?q=small+udp+service+reflection+attack
that is reportedly popular again.
https://www.google.com/search?q=chargen+attacktbs=qdr:m
See also NTP, timed, and others.

The standard reaction to a list like that from experts who invent
Final Ultimate Solutions to the Spam Problem is incoherent nonsense
about TCP and/or authentication.  They neither know nor care TCP has
long been and still is a very popular in reflection DoS attacks.
https://www.google.com/search?q=tcp+syn+attack


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 51ba355b.10...@dougbarton.us, 
Doug Barton do...@dougbarton.us wrote:

No. You can still get pretty good amplification with 512 byte responses.

That is an interesting contention.  Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
using strictly 512 byte packets?

If that's actually a real problem, then I am forced to assume that there
must have been numerous reliable reports of successful and devastating
DNS reflection DDoS attacks which pre-dated the widespread adoption of
EDNS0.  I am not sure where or how I would be able to unearth archived
but contemporaneous news accounts of such incidents, so if you could
send me some links to archived copies of a few such pre-EDNS0 DDoS
reports, I sure would appreciate it.

There is no quick fix.

I will settle for a slow one.

All I am asking of the Internet community is that we at least *begin* the
process of implmenting something that will really solve the problem once
and for all... including even the part of the problems that can arise from
non-open DNS servers.

I am not persuaded that we have even really begun in ernest a process that
is likely to lead to that result.  Almost everybody, even 13 years later,
is still hoping for, and praying for, some utterly cost-free and pain-free
solution to drop down out of the sky like mana from heaven.

My question is really a simple one:  Where are the adults?  This problem
has gone on long enough.


Regards,
rfg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Mark Andrews]

Well the process has started.  BCP 38.  If you want hurry it along
complain to your local politician that they need to consider drafting
legislation that requires ISP's to implement BCP 38 in their networks.

Require BCP 38 implementation by all parties as part of trade
negotiation.

Doing anything else just shifts the problem around.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 20130614004155.72013.qm...@joyce.lan, 
John Levine jo...@iecc.com wrote:

The real solution is BCP 38...

I agree completely John.  I cannot do otherwise.  But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?

Maybe we could find worse ways to spend our time than developing a Plan B
and/or acquiring another basket to put a few of our eggs into.


Regards,
rfg


P.S.  The idea I had was that a reasonably simple anti-DDoS protocol ex-
tension could be codified and rolled out along with regular software
updates, and could thus eventually be in place even without the conscious
cooperation of those system and network administrators who have, by their
actions, already proven themselves to be largely if not entirely un-
cooperative, even with common sense steps to foster and protect the public
good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

The real solution is BCP 38...

I agree completely John.  I cannot do otherwise.  But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?

Based on discussions I've had with people who work at large networks
and in policy positions in various governments (not all in the US), a
lot faster than it it was even a few months ago.

If we're going to ask people to update their networks, I'd rather
concentrate on an update that will really work, rather than some plan
B that sorta kinda helps, and gives people the excuse that since they
did that they don't have to do BCP 38.

Also, a fair amount is just education.  I ran a spoofer test on my
server and found the network wide open.  I talked to the guy who runs
the hosting center today and he said oops, he thought it was set to do
ingress filtering.  So it will in a few days when he gets his router
configs updated.

R's,
John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Mark Andrews]

In message 14768.1371175...@server1.tristatelogic.com, Ronald F. Guilmette 
writes:
 
 In message 20130614004155.72013.qm...@joyce.lan, 
 John Levine jo...@iecc.com wrote:
 
 The real solution is BCP 38...
 
 I agree completely John.  I cannot do otherwise.  But I have to ask the
 obvious elephant-in-the-room question... How is that comming along so far?

* Router manufactures have code to support BCP 38 though it defaults to off.
* Large numbers of ISPs claim they implement BCP 38.
* NAT boxes tend to reduce the number of viable sources.  As more
  networks rather than hosts connect the IPv4 problem space will
  reduce.  CGN's will have a similar impact.

Future:
* SIDR will make it easier for multi-homed nets to automatically configure
  border acls.
* Adding defaults to home CPE devices to default to only allow out source
  addresses learnt through PD or configured RAs will help.
 
 Maybe we could find worse ways to spend our time than developing a Plan B
 and/or acquiring another basket to put a few of our eggs into.
 
 
 Regards,
 rfg
 
 
 P.S.  The idea I had was that a reasonably simple anti-DDoS protocol ex-
 tension could be codified and rolled out along with regular software
 updates, and could thus eventually be in place even without the conscious
 cooperation of those system and network administrators who have, by their
 actions, already proven themselves to be largely if not entirely un-
 cooperative, even with common sense steps to foster and protect the public
 good.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 20130614020930.c1c1c35e2...@drugs.dv.isc.org, 
Mark Andrews ma...@isc.org wrote:

Well the process has started.  BCP 38.  If you want hurry it along
complain to your local politician that they need to consider drafting
legislation that requires ISP's to implement BCP 38 in their networks.

See!  Now _that's_ all I was asking for!  A perfectly sensible, useful,
and sure-fire solution to the problem!

Thanks so much.  I just don't know why this simple idea/solution to the
whole worldwide problem did not occur to me before now.

The world is forever in your debt.


Regards,
rfg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 20130614022305.72272.qm...@joyce.lan, 
John Levine jo...@iecc.com wrote:

The real solution is BCP 38...

I agree completely John.  I cannot do otherwise.  But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?

Based on discussions I've had with people who work at large networks
and in policy positions in various governments (not all in the US), a
lot faster than it it was even a few months ago.

Great!  That is very encouraging news John.

So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that 32-bit UNIX clocks are anticipated to wrap-around to negative?

Gee.  I can't wait!  (And I mean that literally. I personally do not
anticipate that I will still have a functioning curculatory system to
call my own as of that time.)


Regards,
rfg

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 20130614023140.7735d35e2...@drugs.dv.isc.org, 
Mark Andrews ma...@isc.org wrote:

* Router manufactures have code to support BCP 38 though it defaults to off.

Well then, THAT is going to be a great help in solving the problem, isn't it?

* Large numbers of ISPs claim they implement BCP 38.

I claimed that I was Charlie Chaplin once.  Unfortunately, Robert Downey Jr.
beat me to it.

(My claim also did not help any of the organizations who were DDoS'd last
week in any material way.)

* NAT boxes tend to reduce the number of viable sources.  As more
  networks rather than hosts connect the IPv4 problem space will
  reduce.

At the risk of stating the obvious, putting a bunch of machines behind
a NAT box does not make the routed IPv4 addresses that those boxes were
formerly connected to disappear.  Do you believe that everybody who
puts a box behind a NAT then immediately takes pains to insure that
_nothing_ will ever represent itself to the public Internet as occupying
that box's previous routed address ever again?  Or is it just as likely,
if not moreso, that some new box will be put in the old box's place...
a new box which is even less likely than the old one to be a mere end-
luser client machine, incapable of reflecting anything, and vastly more
likly to be a brand new *server* of some sort... probably of a kind that
will suddenly make that IP address useful as a packet reflector, where
the prior box would not have been useful at all in that respect?


Regards,
rfg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Vernon Schryver]

 From: Ronald F. Guilmette r...@tristatelogic.com

} That is an interesting contention.  Is there any evidence of, or even any
} reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
} using strictly 512 byte packets?
}
} If that's actually a real problem, then I am forced to assume that there
} must have been numerous reliable reports of successful and devastating
} DNS reflection DDoS attacks which pre-dated the widespread adoption of
} EDNS0.  I am not sure where or how I would be able to unearth archived
} but contemporaneous news accounts of such incidents, so if you could
} send me some links to archived copies of a few such pre-EDNS0 DDoS
} reports, I sure would appreciate it.

Expecting to get detailed (e.g. packet dumps, packet sizes, IP
addresses, ASNs) reports of DDoS attacks is like expecting samples
of spam from anti-spam operators.  Even the general outlines of
reports tend to be private.

 

  At which server? The numerous DDoS-participating individual intermediaries?
 Or the (singular) DDoS victim?

It wouldn't hurt to learn about the DNS protocol in general and DNS
reflection attacks in particular before parachuting in with the Final
Ultimate DNS Reflection DoS Attack Solution.  Besides the facts that
DNSSEC makes the problem worse and that EDNS0 was not the genesis of
DNS reflection attacks, intermediary is a poor fit for a recursive
DNS resolver (but might fit a stubb resolver).  A recursive server
answers from its cache.  After it has recursed and until TTLs expire,
a recursive server acts like an authority.  That is why the query
handling code in a DNS server implementation tends to treat its cache
like a zone file.

Intermediary simply does not fit the problem of open resolvers in
DNS reflection attacks, because a DNS referral can give plenty of
amplification.  For example, I get more than 500 bytes of UDP payload
from `dig +norecurs example.com` and almost 900 bytes from
`dig +dnssec +norecurs example.com`.  (If a recursive answering with
a referral is an intermediary, then so is every non-leaf authority.)

Singular DDoS victim is off the mark compared to DDoS victim.  For
obvious reasons, multi-Gbit/sec attacks often affect entire networks.
(Multi-Gbit/sec attacks are more common than one might understand from
some press releases.)  In addition, there can be multiple IP addresses
in an attack, and none of the target IP address need be in use by any
hosts.  Any host that is at a targeted address is not expecting the
DoS packets and is be sending send as many ICMP Port-Unreachable error
messages as its ICMP rate limits and firewalls allow (often none)--not
to mention what the incoming flood might have done to BGP sessions
and so forth and so on.

Consider the implications of those facts, as well as the general meaning
of denial of service attack on any Final Ultimate Solution that
requires DDoS victims to send packets to DNS servers.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[John Levine]

So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that 32-bit UNIX clocks are anticipated to wrap-around to negative?

Perhaps, but I think that's still a lot sooner than a yet-to-be-designed
hack to DNS servers will be widely used.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Ronald F. Guilmette]

In message 20130614032434.72450.qm...@joyce.lan, 
John Levine jo...@iecc.com wrote:

So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that 32-bit UNIX clocks are anticipated to wrap-around to negative?

Perhaps, but I think that's still a lot sooner than a yet-to-be-designed
hack to DNS servers will be widely used.

This is a point upon which reasonable men may reasonably disagree.

(I am looking at BCP 38.  It is dated May, 2000.  This does not fill
me with sanguine hopefulness regarding imminent implementation, sufficient
to make any real difference in the magnitude of the problem.)


Regards,
rfg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Mark Andrews]

In message 15120.1371179...@server1.tristatelogic.com, Ronald F. Guilmette 
writes:
 
 In message 20130614023140.7735d35e2...@drugs.dv.isc.org, 
 Mark Andrews ma...@isc.org wrote:
 
 * Router manufactures have code to support BCP 38 though it defaults to off.
 
 Well then, THAT is going to be a great help in solving the problem, isn't it?

Actually it is because it provides ISPs with a tools they can use
in appropriate places.

 * Large numbers of ISPs claim they implement BCP 38.
 
 I claimed that I was Charlie Chaplin once.  Unfortunately, Robert Downey Jr.
 beat me to it.
 
 (My claim also did not help any of the organizations who were DDoS'd last
 week in any material way.)

But it does if the claims are valid reduce the number of machines that
can be used to launch attacks from and it also applies peer presure on
other ISPs.  It also invalidates claims from ISP's that say they can't
implement BCP 38 when push comes to shove.

 * NAT boxes tend to reduce the number of viable sources.  As more
   networks rather than hosts connect the IPv4 problem space will
   reduce.
 
 At the risk of stating the obvious, putting a bunch of machines behind
 a NAT box does not make the routed IPv4 addresses that those boxes were
 formerly connected to disappear.

But it does stop machines behind the NAT boxes from being able
reflect packets off machines elsewhere on the net.  Everything
coming from the NAT has the NAT's address as its source.  This turns
the attack from a amplified, reflected, DDoS attack into a staight
out DDoS attack (no amplification, no reflection).  Attempts to
lauch attacks from behind the NAT impact the user of the NAT and
the would be reflector not third parties.

  Do you believe that everybody who
 puts a box behind a NAT then immediately takes pains to insure that
 _nothing_ will ever represent itself to the public Internet as occupying
 that box's previous routed address ever again?  Or is it just as likely,
 if not moreso, that some new box will be put in the old box's place...
 a new box which is even less likely than the old one to be a mere end-
 luser client machine, incapable of reflecting anything, and vastly more
 likly to be a brand new *server* of some sort... probably of a kind that
 will suddenly make that IP address useful as a packet reflector, where
 the prior box would not have been useful at all in that respect?

I'd rather have another reflector than a spoofed traffic source.
There will always be reflectors.  There doesn't have to be any
sources of spoofed traffic.

CPE vendors have been informed of the broken defaults in their boxes
and new equipment will ship which is not broken.  ISP's can filter
inbound traffic directed at port 53 by default but allow a end user
to remove the filter.  They do this sort of thing for SMTP.

Sensible defaults are making their way though the IETF so that CPE
vendors have some guidance on how to configure their boxes for IPv6
so that are not reflector or other sources of badness.  As more
ISP's deploy IPv6 the number of bad IPv4 only CPE boxes will decrease.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Doug Barton]

Ronald,

It's obvious you're frustrated (understandable), and enthusiastic 
(commendable), but you  might want to consider dialing down your 
rhetoric a bit. You've had responses from people here who have been 
working on this problem for years, and have a deep understanding of it.* 
Trying to understand what they're telling you, and its implications, 
would really help your situation.


More below.

* Note, I'm not including myself in that category. I know a bit more 
than the average person, but I'm not an expert.



On 06/13/2013 06:57 PM, Ronald F. Guilmette wrote:


In message 51ba355b.10...@dougbarton.us,
Doug Barton do...@dougbarton.us wrote:


No. You can still get pretty good amplification with 512 byte responses.


That is an interesting contention.  Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
using strictly 512 byte packets?


You're asking the wrong question. Attackers don't go out of their way to 
find open resolvers that they are sure will return 4k packets. They 
blast out to all the ones that they know, and take the amplification 
that they can get. 50 - 500 is still a pretty good amplification rate.


The important point being (as others have made to you) that this is not 
an EDNS0 issue. It's also worth noting that I realize this wasn't the 
main point you were trying to make, but it will probably be helpful for 
you to get your facts straight.



If that's actually a real problem, then I am forced to assume that there
must have been numerous reliable reports of successful and devastating
DNS reflection DDoS attacks which pre-dated the widespread adoption of
EDNS0.


Again, you're making the wrong argument. As others have pointed out to 
you, DNS amplification is just the attack du jour. There is evidence at 
the moment that the kiddies are already moving to chargen since we seem 
to be making some progress on open resolvers, and they want to keep 
their options open.



There is no quick fix.


I will settle for a slow one.


Then you really want to learn more about response rate limiting, which 
already exists, and is in the process of being adopted into the major 
flavors of authoritative DNS software. That will help a lot with DNS 
amplification, but the real answer is still going to be BCP 38, with all 
of its attendant thorns.



I am not persuaded that we have even really begun in ernest a process that
is likely to lead to that result.  Almost everybody, even 13 years later,
is still hoping for, and praying for, some utterly cost-free and pain-free
solution to drop down out of the sky like mana from heaven.


Again, you need to become more familiar with the efforts that have been 
ongoing for years.


Mark also made an excellent point about legislation for BCP 38 being an 
unfortunate necessity at this point. For a variety of reasons there are 
costs associated with implementing BCP 38, costs which a non-zero number 
of operators have chosen not to pay. Adding legislative 
penalties/incentives that will make implementing it less costly than not 
is pretty much the only untried tool we have left.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [users@httpd] webservers not responding properly after hardware change

[Norman Fournier]

Hello,

I posted this to httpd.apache.org but have not had any response, so I think it 
may be more related to BIND than DNS. Apologies for the cross-post.

I have setup two webservers on my network, one connected directly to the ISP 
with an ethernet card installed to bring it to the router where, it was give an 
internal ip address and ports opened for ftp, smtp and pop. It is ns1. ns2 is 
behind the router and handles http, dns and ssh. Mail is currently being 
properly delivered although my smtp server going out is no longer working for 
obvious reasons.

I can't ping ns1 from ns2. apachectl say my configuration is correct. The only 
change I made that I can see is the ethernet card in ns1 died. How would this 
impact my DNS?

None of the domains on ns2 are available on the web although the websites on 
ns1 are.

The attached diagram shows before and after. Any help would be greatly 
appreciated.

http://www.normanfournier.com/nf-network-diagram-v9.jpg

The ns2 webserver is serving plone instances via a Zope webserver behind Apache.

It appears that the apache webserver is already loaded and that might be the 
problem, although it is not serving any pages. The following is my terminal 
output.

ns2:~ norman$ apachectl -t
Syntax OK
ns2:~ norman$ apachectl restart
launchctl: 
CFURLWriteDataAndPropertiesToResource(/System/Library/LaunchDaemons/org.apache.httpd.plist)
 failed: -10
ns2:~ norman$ apachectl start
launchctl: 
CFURLWriteDataAndPropertiesToResource(/System/Library/LaunchDaemons/org.apache.httpd.plist)
 failed: -10
org.apache.httpd: Already loaded
ns2:~ norman$ 

Norman___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users