DNS Amplification Attacks

Gadi Evron ge at linuxbox.org
Mon Mar 20 20:58:27 UTC 2006

Sean Donelan wrote:
> This goes beyond an individual protocol such as DNS.  You can generate
> blowback with many different protocols.  Technology can take you only
> so far, you also have to address the human element too.
> 1. Bad guys
> 2. Compromised computers (a few are really "owned" by the bad guys too)
> 3. Spoofable source addresses (the bad guys "own" their own ISPs too)
> 4. Open reflectors without rate limits

Each of these is a sound suggestion, some are in debate. The main point 
is though that although spoofing is to blame for this latest attack 
*vector* and indeed is an hazard on the Internet with many other 
possible vectors, it is *not* to blame for this attack. _Not_alone_.

Recursion the way it is set now with most DNS implementations, is the 
problem being exploited by spoofing. It is true spoofing is bad for our 
health, but that does not mean we should ignore what actually gets 
exploited, which is recursive name servers open to the world.

Fixing the one does not mean we shouldn't fix the other. Going after 
recursive servers is whack-a-mole all over again, going after how it all 
works and set may take a roll-back effect of a few years, but is worth 
it as a scalable solution.
One possible such solution is turning the default recursion "on" to "off".

As these things take time, starting is a good first step. :)

Attacks such as this one have been happening for a long time now, non of 
us should be surprised. Two new things in the *recent* attacks are:

1. Wide exploitation in the wild, which draws attention.

	After all, until recently most active NANOGers saw no reason to
	even work on fixing spoofing.

2. Abusing EDNS for a larger amplification factor.

	Yes, smaller amplification factors work too and their rates can
	be increased, but if you can send a whole lot more for less,
	it's obviously more dangerous.

	How many pings would you rather get back from a broadcast
	address in a Smurf attack. 30 or 200?

The reason we released the text at this time (before we were ready, we 
were planning on making it academic-worthy) is that because of the lack 
of actual data out there and increasing FUD, we were encouraged to do so 
for the community.

That is why in the paper we cover events that happened to ISP's rather 
than just theoretical case studies.


More information about the NANOG mailing list