Re: [DNSOP] drop udp to stop DDOS?

joel jaeggli <joelja@bogus.com> Sun, 02 October 2016 05:26 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D88112B15E for <dnsop@ietfa.amsl.com>; Sat, 1 Oct 2016 22:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.896
X-Spam-Level:
X-Spam-Status: No, score=-9.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEox3N9Zv3L6 for <dnsop@ietfa.amsl.com>; Sat, 1 Oct 2016 22:26:12 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 003AF12B03B for <dnsop@ietf.org>; Sat, 1 Oct 2016 22:26:11 -0700 (PDT)
Received: from mbp-2.local ([IPv6:2601:647:4201:9e61:7013:49dd:db36:b0b8]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id u925Pt9e002951 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 2 Oct 2016 05:25:55 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host [IPv6:2601:647:4201:9e61:7013:49dd:db36:b0b8] claimed to be mbp-2.local
To: "A. Schulze" <sca@andreasschulze.de>, dnsop@ietf.org
References: <20161001173627.Horde.rpSak5IJzXjNsCel4mT3q4Q@andreasschulze.de>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <fca59629-3997-2dc3-590a-ef8bf29f76ef@bogus.com>
Date: Sat, 1 Oct 2016 22:25:54 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Thunderbird/49.0
MIME-Version: 1.0
In-Reply-To: <20161001173627.Horde.rpSak5IJzXjNsCel4mT3q4Q@andreasschulze.de>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qdnmI3QE5KgEsl3G61AeqcDt7uQrd7fqo"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Mz5Em793EsPnYoAFwGm2_UzV1rQ>
Subject: Re: [DNSOP] drop udp to stop DDOS?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Oct 2016 05:26:13 -0000

On 10/1/16 8:36 AM, A. Schulze wrote:
> Hello,
>
> a nsd user posted an interesting question:
> https://open.nlnetlabs.nl/pipermail/nsd-users/2016-September/002364.html
>
>> Could we eliminate the DDoS threat by just turning off UDP?
>>
>> Recursive servers I understand probably have to keep accepting them,
>> but authoritative servers are only intended for recursive servers to
>> query, so would it be safe to just drop port 53 UDP requests?
>
> are there any experiences/opinions on that?
> Andreas
Recursing resolvers expect to be able to contact an authoritative
nameserver on udp 53, so if you just drop that in a hole that is going
to be kinda of a problem because they're going to time out.

There is a bit of an art to protecting servers from packets that they
shouldn't be recieving. just because it has to listen on udp 53 does no
mean it has to be able to recieve udp traffic for all other dports.it's
own queries for example could be done with a different source ip.

Once you get beyond (dns / ntp) reflection though theres no particular
reasion why a volumetric dos attack needs to use the UDP header. For
that matter the traffic doesn't even need to splash on the target host
to be effective if the goal is bandwidth consumption.

>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>