IETF Logo Mail Archive

Re: [DNSOP] Root server tar pitting? Is there a better way?

"Wessels, Duane" <dwessels@verisign.com> Mon, 16 May 2016 21:34 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1E8012DA35 for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0L_irn6K37n for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:34:19 -0700 (PDT)
Received: from mail-qg0-x261.google.com (mail-qg0-x261.google.com [IPv6:2607:f8b0:400d:c04::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 829D912D51A for <dnsop@ietf.org>; Mon, 16 May 2016 14:34:19 -0700 (PDT)
Received: by mail-qg0-x261.google.com with SMTP id c103so13452678qge.1 for <dnsop@ietf.org>; Mon, 16 May 2016 14:34:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=tR4AyWwzCjqIR6NuRb8eB48gutONI01TUOYeub8p+Ac=; b=vd7sY7xMZVM7U/Gd13own9Loexg2h1pFUuYsFp3ezY9kSNIPRkE3DJCkO0XtIc3aOh 7Gu5ljFUPy+gfcv3bEv7e6dIpl+UMcFO/l6TLm5QtWcEng4oUkL2gQgFR9lDnq7Cb3gy LQbN6+JK9qxMu3oNYrcZgwywTq83adKUGBrtDxdl9qFRrUdyiqsLxgLF7q7ZwtPMX+h5 hvfD+jGus6OwwnRLeaSfvN0nEC+QWMzCOwFxGi2VP48kJU7VqVaygnUJ9Evtg/r8+4MK 5Dl7dTF6dn4IYEOuTvkETeIeuF1KDau1ySyhGVjc1TrxsJ0LTAdoBYFAPKd1ckll/blg sRNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=tR4AyWwzCjqIR6NuRb8eB48gutONI01TUOYeub8p+Ac=; b=k3WtZjkRwZ7TMCsXa9O7ua24edD41KIo55OsqdmfI130ZnUvQ7pcnKU1kkMMz69VnB f63J5H8/i4SQNCE5kiuxa3b5eruR42vp8iqPgypsCBF+/BWlmQw3tFmcxTfdLjemxaHO N15cO+oGchVygBmTDg98YAc4Ogme+DLwjFnurzKkYrjEhvDYOSMYJZeSRNi5AvFeXgtQ CKT3KsgFznjyFH/1e6yNuh+djP30zDa08pKO71Eeensmi6vKtZ2v8k0SRwuOwkrSdg9H a4SBvLS91bkD84lDIX/NjtA4Pk8zzRKGQAGg59GEd53l7HlrnAMgyij7tFYrE2vsVeyM FgVA==
X-Gm-Message-State: AOPr4FW91eWcdPoCMqkrrtHSfyiqANq0Xwc/Bq4ObbJHB0XaxZ9Yh6uKTXIRGLRjd/GKFF6koSF6AoD73tXdzQ2t4DoBOHqA
X-Received: by 10.55.168.3 with SMTP id r3mr11534059qke.24.1463434458541; Mon, 16 May 2016 14:34:18 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id u191sm5273821qka.2.2016.05.16.14.34.18 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 16 May 2016 14:34:18 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u4GLYIYa004696 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 16 May 2016 17:34:18 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Mon, 16 May 2016 17:34:17 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Brian Somers <bsomers@opendns.com>
Thread-Topic: [DNSOP] Root server tar pitting? Is there a better way?
Thread-Index: AQHRr7lGsW3dieWCgUCfsJ0sSbmpfJ+8WQAA
Date: Mon, 16 May 2016 21:34:17 +0000
Message-ID: <29A70833-47CA-4371-8150-9C7AB16A0877@verisign.com>
References: <44FFEAA9-7579-47E9-A5AF-5C0E1B720634@opendns.com>
In-Reply-To: <44FFEAA9-7579-47E9-A5AF-5C0E1B720634@opendns.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <499867C9514C614A978A1C8B76FCB25E@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Rn-uXgaHGOfr9stAxYVnDV5U2Nk>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Root server tar pitting? Is there a better way?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 21:34:22 -0000

Hi Brian,

I think what you're suggesting has already been proposed.  See https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/

DW


> On May 16, 2016, at 2:23 PM, Brian Somers <bsomers@opendns.com> wrote:
> 
> Hi folks,
> 
> I work at OpenDNS.  We saw a DoS attack in Miami on Friday night around 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
> 
> Each query was answered with an NXDOMAIN by the root servers,   Although our resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at 1 hour despite the larger SOA MINIMUM) it was ineffective in reducing the load on the root servers as every varying query was another root server request.
> 
> We eventually blackholed all TLDs from 000 to 500 to stifle the problem (locally delegating them to 127.0.0.1 where we don’t listen).
> 
> However, during the attack, we also saw a huge number of TCP sockets in TIME_WAIT talking to root servers (probably all root servers).  I’m curious if
> 
> 1.  Are root servers doing some sort of tar pitting where they send a TC and then firewall port 53?
> 2.  Has anyone ever considered a better way than responding with NXDOMAIN?
> 
> The second is a loaded question, but it occurs to me that a new type of negative response to (say) 111.222.333.444/IN/A might be an NXDOMAIN with an SOA record (as we do now) but also with an indicator that 444 and below are NXDOMAINs.  I’m not sure what that might look like, maybe "444/IN/NS .” in the AUTHORITY section where “.” is the NS value meaning that 444 is actually delegated to nobody.
> 
> Thoughts/comments?
> 
> —
> Brian
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email