Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers
Stephane Bortzmeyer 于2020年9月15日周二 下午3:32写道: > On Mon, Sep 14, 2020 at 02:54:42PM -0300, > Fernando Gont wrote > a message of 19 lines which said: > > > Any more details about the attack? e.e., what vectors they used, etc.? > > No, they didn't publish any technical details. Like many people, I saw > the effects (DNS resolution down) but not the causes. > seems like botnet (local customer's terminal) attack to ISP ? ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01
bsomers> My argument goes something like this. When a DNS request is bsomers> sent, the client (whether a stub or a resolver) is the most bsomers> qualified to know specifics about the "connection" and is also bsomers> the target of fragmentation attacks. I'd go the other end of the spectrum. I'd argue that neither client nor server has any clue of what horrible network crap lies in the path. There are so many badly implemented boxes built on the assumption that they have some right to muck with packets passing through them but with no skin in the game that end to end has to work. If you buy that assumption, smaller default is less operational risk. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01
On Sep 11, 2020, at 1:24 PM, Brian Dickson wrote: > > In short: I would be perfectly okay if the recommendation were ONLY for the > authority (and server side of resolvers) to lower their default configured > UDP bufsizes, at which point having a range of recommended values (rather > than a single value) would be more appropriate. > Server-side defaults can have their values changed (overridden) by config > changes, but that ONLY has effect if the clients are NOT ALSO implementing > the SAME values. > > That's the problem: EDNS0 UDP Bufsize negotiation allows different values to > be configured/offered, and uses the MINIMUM value. If both ends have their > defaults lowered, and that causes a problem, it CANNOT be fixed unilaterally. FWIW I agree with this argument - the fact that there are two configured bufsize values is very important, perhaps more so in the OpenDNS case than elsewhere due to our DNSCrypt traffic. However, I would argue that the reduced number (whether it’s 1232, 1400 or 1452) should be chosen by the requestor. My argument goes something like this. When a DNS request is sent, the client (whether a stub or a resolver) is the most qualified to know specifics about the “connection” and is also the target of fragmentation attacks. If the client has a "secure path” to the server (DNSCrypt, DNSCurve, DTLS, a VPN, localhost), a value of 4096 is a great choice. If a client is a stub inside a complicated enterprise network where VLANs and tunnels and [other stuff] are in effect, 1232 might be appropriate. If a client has an unfettered Internet connection, a value of of 1452 might be better. Playing into this, a client might also decide to drop fragments (because they’re just too dangerous) and might want to use 1232 “just in case”. All of these decisions are client decisions. Should the server ever decide? I don’t know of any use case where it should, other than to limit abuse (amplification attacks). IMHO a default request bufsize of 1500 or less (1400 seems popular) would serve the DNS community best, leaving the default response bufsize at 4096 (is that the usual value?). — Brian ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers
Hi Stephane-san, I've read the article. I am suspecting the attack vector is random subdomain attacks via bad CPEs, they acts open resolvers and forwarding queries to ISP's resolvers. Possibly, the real target domain name was exist and the attackers tried to down the auth servers of the domain. -- Orange From: Stephane Bortzmeyer Subject: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers Date: Mon, 14 Sep 2020 15:14:59 +0200 > On 1 and 2 September 2020, several French IAPs (Internet Access > Providers), including SFR and Bouygues, were "down". Their DNS > resolvers were offline, and it does indeed seem that this was the > result of an attack carried out against these resolvers. > > https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers
On Mon, Sep 14, 2020 at 02:54:42PM -0300, Fernando Gont wrote a message of 19 lines which said: > Any more details about the attack? e.e., what vectors they used, etc.? No, they didn't publish any technical details. Like many people, I saw the effects (DNS resolution down) but not the causes. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers
On Mon, Sep 14, 2020 at 01:23:16PM -0700, Damian Menscher wrote a message of 87 lines which said: > > There are a great many public resolvers, the best known ones among > > which are operated by the major US corporations that have cornered > > a large proportion of Internet services and are often referred to > > as “GAFA” (from the initials of Google, Amazon, Facebook and > > Apple), or the “Big Four”. > > > Could you please share the IPs for the DNS resolvers operated by Amazon, > Facebook, and Apple? I'm trying to determine whether I'm simply unaware of > those three open recursives (and unable to find them via a search engine), > or if you're simply spreading FUD for political reasons. Please have a tea and read again the sentences you quote. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
