DNS Amplification Attacks
ge at linuxbox.org
Mon Mar 20 20:58:27 UTC 2006
Sean Donelan wrote:
> This goes beyond an individual protocol such as DNS. You can generate
> blowback with many different protocols. Technology can take you only
> so far, you also have to address the human element too.
> 1. Bad guys
> 2. Compromised computers (a few are really "owned" by the bad guys too)
> 3. Spoofable source addresses (the bad guys "own" their own ISPs too)
> 4. Open reflectors without rate limits
Each of these is a sound suggestion, some are in debate. The main point
is though that although spoofing is to blame for this latest attack
*vector* and indeed is an hazard on the Internet with many other
possible vectors, it is *not* to blame for this attack. _Not_alone_.
Recursion the way it is set now with most DNS implementations, is the
problem being exploited by spoofing. It is true spoofing is bad for our
health, but that does not mean we should ignore what actually gets
exploited, which is recursive name servers open to the world.
Fixing the one does not mean we shouldn't fix the other. Going after
recursive servers is whack-a-mole all over again, going after how it all
works and set may take a roll-back effect of a few years, but is worth
it as a scalable solution.
One possible such solution is turning the default recursion "on" to "off".
As these things take time, starting is a good first step. :)
Attacks such as this one have been happening for a long time now, non of
us should be surprised. Two new things in the *recent* attacks are:
1. Wide exploitation in the wild, which draws attention.
After all, until recently most active NANOGers saw no reason to
even work on fixing spoofing.
2. Abusing EDNS for a larger amplification factor.
Yes, smaller amplification factors work too and their rates can
be increased, but if you can send a whole lot more for less,
it's obviously more dangerous.
How many pings would you rather get back from a broadcast
address in a Smurf attack. 30 or 200?
The reason we released the text at this time (before we were ready, we
were planning on making it academic-worthy) is that because of the lack
of actual data out there and increasing FUD, we were encouraged to do so
for the community.
That is why in the paper we cover events that happened to ISP's rather
than just theoretical case studies.
More information about the NANOG