DNS hardening, was Re: Dan Kaminsky
Douglas Otis
dotis at mail-abuse.org
Wed Aug 5 18:12:32 UTC 2009
On 8/5/09 9:48 AM, John Levine wrote:
> Other than DNSSEC, I'm aware of these relatively simple hacks to add
> entropy to DNS queries.
>
> 1) Random query ID
>
> 2) Random source port
>
> 3) Random case in queries, e.g. GooGLe.CoM
>
> 4) Ask twice (with different values for the first three hacks) and
> compare the answers
DNSSEC introduces vulnerabilities, such as reflected attacks and
fragmentation related exploits that might poison glue, where perhaps
asking twice might still be needed.
Modern implementations use random 16 bit transaction IDs. Interposed
NATs may impair effectiveness of random source ports. Use of random
query cases may not offer an entropy increase in some instances. Asking
twice, although doubling resource consumption and latency, offers an
increase in entropy that works best when queried serially.
Establishing SCTP as a preferred DNS transport offers a safe harbor for
major ISPs. SCTP protects against both spoofed and reflected attack.
Use of persistent SCTP associations can provide lower latency than that
found using TCP fallback, TCP only, or repeated queries. SCTP also
better deals with attack related congestion.
Once UDP is impaired by EDNS0 response sizes that exceed reassembly
resources, or are preemptively dropped as a result, TCP must then
dramatically scale up to offer the resilience achieved by UDP anycast.
In this scenario, SCTP offers several benefits. SCTP retains
initialization state within cryptographically secured cookies, which
provides significant protection against spoofed source resource
exhaustion. By first exchanging cookies, the network extends server
state storage. SCTP also better ensures against cache poisoning whether
DNSSEC is used or not.
Having major providers support the SCTP option will mitigate disruptions
caused by DNS DDoS attacks using less resources. SCTP will also
encourage use of IPv6, and improve proper SOHO router support. When
SCTP becomes used by HTTP, this further enhances DDoS resistance for
even critical web related services as well.
-Doug
More information about the NANOG
mailing list