Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
Matt Larson <mlarson@verisign.com> Mon, 10 December 2007 15:32 UTC
Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1kcb-0008PT-7W; Mon, 10 Dec 2007 10:32:41 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1kcZ-0008Go-Q4 for dnsop@ietf.org; Mon, 10 Dec 2007 10:32:39 -0500
Received: from cliffie.verisignlabs.com ([65.201.175.9]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J1kcZ-0006mP-B3 for dnsop@ietf.org; Mon, 10 Dec 2007 10:32:39 -0500
Received: from monsoon.verisignlabs.com (scooter.bo.verisignlabs.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id 035BD1366DE for <dnsop@ietf.org>; Mon, 10 Dec 2007 10:32:39 -0500 (EST)
Received: from dul1mcmlarson-l1.verisignlabs.com (dul1mcmlarson-l1.verisignlabs.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id E75B3242235 for <dnsop@ietf.org>; Mon, 10 Dec 2007 10:32:38 -0500 (EST)
Date: Mon, 10 Dec 2007 10:32:38 -0500
From: Matt Larson <mlarson@verisign.com>
To: dnsop@ietf.org
Subject: Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
Message-ID: <20071210153238.GA435@dul1mcmlarson-l1.verisignlabs.com>
References: <a0624080fc37ba787c4f6@[130.129.67.81]> <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
User-Agent: Mutt/1.5.11
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org
Much against my better judgement, I'm replying to an author who repeatedly shows himself incorrigible. But lest his continued repetition of a false claim--that authority servers can be used to mount as large an attack as open servers--begin to give it an air of truth, I'd like to point out: On Mon, 10 Dec 2007, Dean Anderson wrote: > The draft still asserts incorrectly that > > DNS authoritative servers which do not provide recursion to clients > can also be used as amplifiers; however, the amplification potential > is greatly reduced when authoritative servers are used. > > The exact same traffic can be generated with authority servers. > Authority abuse traffic is much more difficult to mitigate, and so is a > much worse problem that recursor traffic. The draft should state the > facts, otherwise it is misleading. We've been over this ground before over a year ago. Please see this message from me on this list, in reply to a message of yours on this exact same topic: http://www1.ietf.org/mail-archive/web/dnsop/current/msg04723.html Let me quote the relevant part: On Mon, 02 Oct 2006, Dean Anderson wrote: > Finding authority servers for large in-addr responses is > just a walk of the in-addr.arpa. One can get forward zones from a > variety of places to find large SPF, DNSSEC or TXT records. > Furthermore, the search for such records is completely innocent, while > the search for open recursors is suspicious. [one can put up traps for > the latter search] That is all true. However, I am extremely dubious that today--right now--one could mount a reflector attack using only authoritative servers that would equal the magnitude of the attacks seen at the beginning of this year that used open recursive servers. To mount an attack equivalent to those already seen, one would need to find tens of thousands of authoritative servers able to produce a 4K response. Every byte in the response size is significant, given the large number of reflectors involved. The bar has already been set at 4Kb, so one needs to find at least ~34,500 authoritative servers with responses at least that large to equal this year's earlier attacks. (The problem is actually worse, because the number of open recursive name servers has been estimated at around half a million by multiple sources, so that's the current theoretical worst case, an even harder number to reach using authoritative servers.) Can you point us to even one 4Kb response from an authoritative server? You did not answer my question then and it still stands: if your assertion that authority servers pose just as large a risk as open resolvers for DDoS attacks, then point us to a large number of authority servers with large (~4Kb) responses. Matt P.S. For you or anyone else who'd like to recall the details of the open-resolver based DDoS attacks from early 2006, my colleagues prepared an excellent (and frightening) presentation on them: http://www.nanog.org/mtg-0606/scalzo.html _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-ar… Internet-Drafts
- [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.t… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Matt Larson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Peter Koch
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- [DNSOP] Re: draft-ietf-dnsop-reflectors-are-evil-… Stephane Bortzmeyer
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Dean Anderson
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Edward Lewis
- [DNSOP] Recursors are no longer evil? (Was: I-D A… Stephane Bortzmeyer