DNS DDoS [was: register.com down sev0?]

Patrick W. Gilmore patrick at ianai.net
Thu Oct 26 15:21:40 UTC 2006

On Oct 26, 2006, at 1:31 AM, alex at pilosoft.com wrote:

>> It is essentially impossible to distinguish end-user requests from
>> (im)properly created DoS packets (especially until BCP38 is widely
>> adopted - i.e. probably never).  Since there is no single place -  
>> no 13
>> places - which can withstand a well crafted DoS, you are  
>> guaranteed that
>> some users will not be able to reach any of your listed authorities.
> Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war
> between worm writers (to generate queries indistinguishable from real
> client-resolver-generated queries) and trying-to-detect-malformed- 
> queries
> (such as duplicated qid, or from IP space that shouldn't be hitting  
> this
> specific node). You probably dealt with more ddos than rest of us
> combined, so I bow to your superior knowledge.

First, thanx for the nod, but there are some here who have dealt with  
more than I have.  But I think I've seen enough to know something  
about it.

You can try things like "filter IP addresses which should not be  
going to node X", but what happens if the DDoS changes the network  
topology enough that you can't be certain users are going where you  
did not?  If the DDoS is large, this is pretty much guaranteed.

Worse, suppose the topology changes for reasons unrelated to a DDoS.   
You could end up DoS'ing end users without an attack!  (You could  
theoretically only put the filters in place when an attack is  
happening, but that has other problems - which may or may not be worse.)

Filtering on things like duplicated query IDs is not possible on  
router hardware doing 10s of Gbps or millions of PPS.  And doing it  
on the server is not useful if there are more bits / pps than the  
router can process.  Remember, servers can't answer packets that are  
dropped before they get to the servers.

Etc., etc., etc.

Overall, we are losing the war.  What good providers, like the roots,  
Ultra, etc., do is to minimize the effect of any attack.  If a  
"miscreant" fires the "DDoS of biblical proportions" and only 5% of  
users are affected, I consider that a success.  Unfortunately, those  
5% don't think so, but one can only do what one can do.  Besides, if  
it truly is an attack of biblical proportion, those 5% are probably  
having much larger problems than name resolution.

Couple other comments:

 From all indications I've seen (and most are not authoritative, but  
it's all the info I have), this was not a DDoS of "biblical  
proportions".  There were no whole networks to go offline, there were  
no massive swaths of address space flapping, there were no entire  
peering points being congested, etc.  A few Gbps does not count as  
"biblical" any more.

Whether this attack used spoof-source or not, BCP38 is _VITAL_, IMHO,  
to helping curb these things.  It guarantees, at the very least, that  
you know where the attack is sourced.  Filtering become much easier.   
Reaching the right operators to help with the problem becomes orders  
of magnitude easier.  And if the miscreants just start using BotNets  
with real IP address, GOOD.  It's not the End All Be All answer, but  
it is a _huge_ step in the right direction.

Unfortunately, as Jared has pointed out, the equipment vendors have  
to help the operators support this.  So let's all call your favorite  
router vendor and ask them when they will have the "ip bcp38" config  
option. :)


More information about the NANOG mailing list