IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt

Matt Larson <mlarson@verisign.com> Mon, 10 December 2007 15:32 UTC

Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1kcb-0008PT-7W; Mon, 10 Dec 2007 10:32:41 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1kcZ-0008Go-Q4 for dnsop@ietf.org; Mon, 10 Dec 2007 10:32:39 -0500
Received: from cliffie.verisignlabs.com ([65.201.175.9]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J1kcZ-0006mP-B3 for dnsop@ietf.org; Mon, 10 Dec 2007 10:32:39 -0500
Received: from monsoon.verisignlabs.com (scooter.bo.verisignlabs.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id 035BD1366DE for <dnsop@ietf.org>; Mon, 10 Dec 2007 10:32:39 -0500 (EST)
Received: from dul1mcmlarson-l1.verisignlabs.com (dul1mcmlarson-l1.verisignlabs.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id E75B3242235 for <dnsop@ietf.org>; Mon, 10 Dec 2007 10:32:38 -0500 (EST)
Date: Mon, 10 Dec 2007 10:32:38 -0500
From: Matt Larson <mlarson@verisign.com>
To: dnsop@ietf.org
Subject: Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
Message-ID: <20071210153238.GA435@dul1mcmlarson-l1.verisignlabs.com>
References: <a0624080fc37ba787c4f6@[130.129.67.81]> <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
User-Agent: Mutt/1.5.11
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org

Much against my better judgement, I'm replying to an author who
repeatedly shows himself incorrigible.  But lest his continued
repetition of a false claim--that authority servers can be used to
mount as large an attack as open servers--begin to give it an air of
truth, I'd like to point out:

On Mon, 10 Dec 2007, Dean Anderson wrote:
> The draft still asserts incorrectly that 
> 
>    DNS authoritative servers which do not provide recursion to clients
>    can also be used as amplifiers; however, the amplification potential
>    is greatly reduced when authoritative servers are used. 
> 
> The exact same traffic can be generated with authority servers.  
> Authority abuse traffic is much more difficult to mitigate, and so is a
> much worse problem that recursor traffic. The draft should state the
> facts, otherwise it is misleading.

We've been over this ground before over a year ago.  Please see this
message from me on this list, in reply to a message of yours on this
exact same topic:

  http://www1.ietf.org/mail-archive/web/dnsop/current/msg04723.html

Let me quote the relevant part:

  On Mon, 02 Oct 2006, Dean Anderson wrote:
  > Finding authority servers for large in-addr responses is
  > just a walk of the in-addr.arpa.  One can get forward zones from a
  > variety of places to find large SPF, DNSSEC or TXT records.
  > Furthermore, the search for such records is completely innocent, while
  > the search for open recursors is suspicious. [one can put up traps for
  > the latter search]

  That is all true.  However, I am extremely dubious that today--right
  now--one could mount a reflector attack using only authoritative
  servers that would equal the magnitude of the attacks seen at the
  beginning of this year that used open recursive servers.  To mount an
  attack equivalent to those already seen, one would need to find tens
  of thousands of authoritative servers able to produce a 4K response.
  Every byte in the response size is significant, given the large number
  of reflectors involved.  The bar has already been set at 4Kb, so one
  needs to find at least ~34,500 authoritative servers with responses at
  least that large to equal this year's earlier attacks.

  (The problem is actually worse, because the number of open recursive
  name servers has been estimated at around half a million by multiple
  sources, so that's the current theoretical worst case, an even harder
  number to reach using authoritative servers.)

  Can you point us to even one 4Kb response from an authoritative
  server?

You did not answer my question then and it still stands: if your
assertion that authority servers pose just as large a risk as open
resolvers for DDoS attacks, then point us to a large number of
authority servers with large (~4Kb) responses.

Matt

P.S.  For you or anyone else who'd like to recall the details of the
open-resolver based DDoS attacks from early 2006, my colleagues
prepared an excellent (and frightening) presentation on them:

  http://www.nanog.org/mtg-0606/scalzo.html

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email