DNS DOS increasing?

E.B. Dreger eddy+public+spam at noc.everquick.net
Mon Jan 21 17:08:21 UTC 2002

> Date: Mon, 21 Jan 2002 10:07:32 -0500
> From: James Smith <jsmith at PRESIDIO.com>

> Get ready for more DOS-like behavior as systems get deployed
> that have 10 second TTLs in the DNS. These systems are used to
> provide multi-isp redundancy by pinging each upstreams router,
> and when a ping fails, start giving out a dns response using
> the other ISP IP range. Same FQDN, new IP.

Ughh.  Constant pinging == RFC violation (I forget number).
Short TTL = bad idea, stretching DNS beyond what it's meant to
do.  [Not intended as flamebait, but I know that not everyone
will agree with this statement.]

> This of course is driven by the desire for redundancy in small
> businesses who make the Internet an integral part of their
> business plan. Either they can't get PI space and don't have

PI space isn't that big of a deal for most small businesses.  For
service providers, yes.  For other organizations that have at
most half a dozen Internet-facing servers that might be
renumbered every year or two, it is less of an issue.

> (or don't want to spend) the $$$ to do BGP, or are unable to


BGP isn't that expensive.

> convince their upstream to cut a hole in their CIDR block and

Find a clueful or cooperative upstream...

> allow a 2nd party to announce that chunk (which for some is as
> small as /28).

This _is_ a problem.

Returning to the issue of carpet-bombing DNS clients:

IIRC, some extensions to the POP3 spec allow the POP3 server to
tell clients to back off if they query too often.  Perhaps
something similar for DNS is in order?  i.e., force clients to
observe "reasonable" request intervals.  (Alas, I fear that too
many people would ask why DNS is broken, ignoring the issue of
the renegade client.)

I suppose that providers could also run transparent DNS proxies,
thus saving origin servers.  Then again, what is the motivation
for an upstream to run a big proxy to mitigate the effects of a
rogue downstream, when it doesn't directly affect them (upstream)
much at all?

I hate to suggest any sort of per-stream packet/bandwidth 
limiting anywhere, as this means keeping state.


Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist at brics.com>, or you are likely to be blocked.

More information about the NANOG mailing list