DNS DDoS [was: register.com down sev0?]
Patrick W. Gilmore
patrick at ianai.net
Thu Oct 26 15:21:40 UTC 2006
On Oct 26, 2006, at 1:31 AM, alex at pilosoft.com wrote:
>> It is essentially impossible to distinguish end-user requests from
>> (im)properly created DoS packets (especially until BCP38 is widely
>> adopted - i.e. probably never). Since there is no single place -
>> no 13
>> places - which can withstand a well crafted DoS, you are
>> guaranteed that
>> some users will not be able to reach any of your listed authorities.
> Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war
> between worm writers (to generate queries indistinguishable from real
> client-resolver-generated queries) and trying-to-detect-malformed-
> (such as duplicated qid, or from IP space that shouldn't be hitting
> specific node). You probably dealt with more ddos than rest of us
> combined, so I bow to your superior knowledge.
First, thanx for the nod, but there are some here who have dealt with
more than I have. But I think I've seen enough to know something
You can try things like "filter IP addresses which should not be
going to node X", but what happens if the DDoS changes the network
topology enough that you can't be certain users are going where you
did not? If the DDoS is large, this is pretty much guaranteed.
Worse, suppose the topology changes for reasons unrelated to a DDoS.
You could end up DoS'ing end users without an attack! (You could
theoretically only put the filters in place when an attack is
happening, but that has other problems - which may or may not be worse.)
Filtering on things like duplicated query IDs is not possible on
router hardware doing 10s of Gbps or millions of PPS. And doing it
on the server is not useful if there are more bits / pps than the
router can process. Remember, servers can't answer packets that are
dropped before they get to the servers.
Etc., etc., etc.
Overall, we are losing the war. What good providers, like the roots,
Ultra, etc., do is to minimize the effect of any attack. If a
"miscreant" fires the "DDoS of biblical proportions" and only 5% of
users are affected, I consider that a success. Unfortunately, those
5% don't think so, but one can only do what one can do. Besides, if
it truly is an attack of biblical proportion, those 5% are probably
having much larger problems than name resolution.
Couple other comments:
From all indications I've seen (and most are not authoritative, but
it's all the info I have), this was not a DDoS of "biblical
proportions". There were no whole networks to go offline, there were
no massive swaths of address space flapping, there were no entire
peering points being congested, etc. A few Gbps does not count as
"biblical" any more.
Whether this attack used spoof-source or not, BCP38 is _VITAL_, IMHO,
to helping curb these things. It guarantees, at the very least, that
you know where the attack is sourced. Filtering become much easier.
Reaching the right operators to help with the problem becomes orders
of magnitude easier. And if the miscreants just start using BotNets
with real IP address, GOOD. It's not the End All Be All answer, but
it is a _huge_ step in the right direction.
Unfortunately, as Jared has pointed out, the equipment vendors have
to help the operators support this. So let's all call your favorite
router vendor and ask them when they will have the "ip bcp38" config
More information about the NANOG