IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Warren Kumari <warren@kumari.net> Mon, 21 August 2017 18:46 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E7C132A9A for <dnsop@ietfa.amsl.com>; Mon, 21 Aug 2017 11:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Level:
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1fNeYo4IjLw for <dnsop@ietfa.amsl.com>; Mon, 21 Aug 2017 11:46:14 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BD58132AB2 for <dnsop@ietf.org>; Mon, 21 Aug 2017 11:45:13 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id z91so104834452wrc.4 for <dnsop@ietf.org>; Mon, 21 Aug 2017 11:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=cKvSe3TJd3jHpROUghrS7Z4FPrF7Z+fU+PefKWQuyZg=; b=G7k2wvh0n4mSTTEay3DFhQ8MMquRmSdWGFj2upAtp8WAau/0gWS4G7LLiA1iX/uTIf SE61V3jR3iy0Bt2zjXw35E5CVYLSvfYAblSqeYX6FcUXQNyAbK31O7fws+6aza02nEp/ lkOtfqEDkWIor1tP8LOITXt4CWYmw0WEHhqJITk0zG04dMrCnscFZI9+QERdB6Wm/EDM dwg92Rm4Cyn41XPrg4nkMaJ/6kWJ3GjLe1dcnpJTRKUqWneTnnzQt+shiTofz2dzi9HM PJC800bQFT/G8L42se9mop44YBYvY/Ec+JpN7V9lokG3VmGSFd7rfo8jJB3hB5HUkd1a hl6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=cKvSe3TJd3jHpROUghrS7Z4FPrF7Z+fU+PefKWQuyZg=; b=CiHPy4ssQr7fQVBqKesGCGQYLJY50GU9qSi8CqXqLVSiNvlrZsj/GfQhIVgQFyIuS5 iFapnK5mY3y/nibuByi3lwQOx1FwgtiiBWcv1Z1M9Mxo+jx4EOhUx+QILjiiXqANk/7G auJ6dNzTG0EBos5hKPbkva6Ly8FOt4hFwF/abMp9Rkl5hJCDrme06xQhBwtbKwtC+g77 3P43w55BGDfBc2ccn28FPpTYiWfNdnkUc9e9iYpq/GhCOLFhXkbo6xH9HY4Kt1fM3lFK urCEFxA77H/ZcjGDnC8vsSK7F/jdOCubAUTTGvDaOkzop1GC7+iYy1Nhd39s1RzAV4kI TCVg==
X-Gm-Message-State: AHYfb5jdb/oSOnuhznYZQtE50Qu8SGdEmiPOHrf3ZXXmtrH9rIYp5w9S 75c8pKdWSB6NxJzqpfHF9iABgZWuZQRG
X-Received: by 10.223.152.19 with SMTP id v19mr12028231wrb.60.1503341111372; Mon, 21 Aug 2017 11:45:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.135 with HTTP; Mon, 21 Aug 2017 11:44:30 -0700 (PDT)
In-Reply-To: <DF434FBC-2F11-4548-9071-1B5FE84A549E@fugue.com>
References: <CANLjSvWFh0ER47=SFJB-3rkTJKT_OxcjKwcD9-DUkDDxJTo=+g@mail.gmail.com> <201708151341.v7FDfNqR039481@calcite.rhyolite.com> <CAPt1N1=2eFRBCHYptn6W=3ruFisN0xRcMQSPPakgZXnmsaTS5w@mail.gmail.com> <CANLjSvWkDTgqTg+fy2jZzfcaY7e1VWB11yiWMzO3MfcrCGVLSQ@mail.gmail.com> <FFA80661-78A3-40B8-8DBC-FE79E873BCAF@fugue.com> <CANLjSvWcscFQSH9KdmZPgOb9vC5immDoJZjG3msQB5TqfiHkDQ@mail.gmail.com> <3337C704-0398-439E-8C9A-8A4BA9FB7413@fugue.com> <CANLjSvUZC=DCbuCKmq28C4+Qm_SZ7GTpTWZPisp-Gvf5hg21qw@mail.gmail.com> <DF434FBC-2F11-4548-9071-1B5FE84A549E@fugue.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 21 Aug 2017 14:44:30 -0400
Message-ID: <CAHw9_iJVk2Q2G_2DH1a6PvCPW7m+iq2v5AGS+81hdBC-EP0SeA@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Lanlan Pan <abbypan@gmail.com>, dnsop WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yNKsnGzZqmb71BBQzGNZv5LzX1g>
Subject: Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 18:46:17 -0000

I was really trying to stay out of this thread...


On Fri, Aug 18, 2017 at 1:05 PM, Ted Lemon <mellon@fugue.com> wrote:
> El 18 ag 2017, a les 11:33, Lanlan Pan <abbypan@gmail.com> va escriure:
>
> So, can you talk about how your proposal saves cost over using a heuristic?
> It can be used with cache aging heuristic.
> Heuristic read in aaa/bbb/ccc.foo.com, expire and move out;  then read in
> xxx/yyy/zzz.foo.com,  expire and move out;  loop...
> => Map aaa/bbb/ccc/xxx/yy/zzz.foo.com to *.foo.com when heuristic read, it
> will reduce the load of move in/out.
>
>
> By "move out" you mean "remove," right?   Move out implies that you are
> moving it somewhere.   You haven't actually answered my question.  You say
> that SWILD will remove the load, but you don't give any evidence of this.

Yup.

Earlier in the thread, one of justifications for this work was "DNS
Noise: Measuring the Pervasiveness ofDisposable Domains in Modern DNS
Traffic." (posted by Lanlan Pan).
In the abstract of the same is: "Disposable domains are likely
generated automatically, characterized by a “one-time use” pattern,
and appear to be used as a way of “signaling” via DNS queries."

The document contains some examples of these "disposable domains", including:
0.0.0.0.1.0.0.4e.135jg5e1pd7s4735ftrqweufm5.avqs.mcafee.com

McAfee's site says: "GTI File Reputation looks for suspicious
programs, Portable Document Format (PDF) files, and Android
Application Package (.APK) files that are active on endpoints running
McAfee products, including Endpoint Security (ENS), VirusScan
Enterprise (VSE), and SaaS Endpoint Protection (formerly known as
Total Protection Service). If any suspicious files are found that do
not trigger existing signature DAT files, GTI sends a DNS request to a
central database server hosted by McAfee Labs."

Basically, the way that this works is to generate a hash (or similar)
of an object and query that hash in the DNS -- information is returned
encoded in the address.
It is quite clear that McAfee could not (and would not) want to
publish a record saying that this is a wildcard -- if they did, they
would either mark all objects as safe, or as malicious.


Another example is:
load-0-p-01.up-1852280.mem-251379712-24440832-0-p-50.swap-236691456-297943040-0-p-44.3302068.1222092134.device.trans.manage.esoft.com
Fascinating, but device.trans.manage.esoft.com has no incentive to
publish a wildcard marker -- the whole purpose of this query appears
to get data back to manage.esoft.com -- having this get answered from
an intermediate cache would defeat this.

The third example is:
p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.s1.v4.ipv6-exp.l.google.com
Lorenzo Colitti, Steinar, Erik Kline, Tiziana Refice have a good
writeup of the purpose of these here: "Evaluating IPv6 Adoption in the
Internet" - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/36240.pdf
Again, these queries are being made for a reason -- it isn't that the
senders figured "I know, let's make a DNS query for fun!!!" - they
wanted to query for some data, or send some data -- like the abstract
says: "“signaling” via DNS queries."

In all of the above, publishing a "this is a wildcard" completely
breaks the purpose of the queries, and so there is no incentive for
these entities to publish such a record...



>>
>> 2) cache miss
>> All of temporary subdomain wildcards will encounter cache miss.
>> Query xxx.foo.com,  then query yyy.foo.com, zzz.foo.com, ...
>> We can use SWILD to optimize it,  only query xxx.foo.com for the first
>> time and get SWILD, avoid to send yyy/zzz.foo.com queries to authoritative
>> server.
>>
>>
>> Can you characterize why sending these queries to the authoritative server
>> is a problem?
>

For the examples used in the paper justifying this, it's not a
problem, it's the purpose :-)

>
> Ok, Similar to RFC8198 section 6
> Benefit but not problem,  directly return from cache, avoid send queries to
> authoritative, and wait for response, reduce laterncy.
>
>
> Okay, but this isn't a reason to prefer this to existing, standardized
> technology.
>
>> 3) DDoS risk
>> The botnet ddos risk and defense is like NSEC aggressive wildcard, or NSEC
>> unsigned.
>> For example,  [0-9]+.qzone.qq.com is a popular SNS website in China, like
>> facebook. If botnets send "popular website wildcards" to recursive,  the
>> cache size of recursive will rise, recursive can not just simply remove them
>> like some other random label attack.
>> We prefer recursive directly return the IP of subdomain wildcards, and not
>> rise recursive cach, not send repeat query to authoritative.
>>
>>
>> Why do you prefer this?   Just saying "we prefer ..." is not a reason for
>> the IETF to standardize something.
>
>
> Sorry, my expression is fault.
>
> More details:
> 1) All of the attack botnets were customers of ISP, sent queries to ISP
> recursive with low rate, so all of the client's IP addresses were
> "legitimate", could not simply use ACL.
> 2) Normal users also visit [0-9]+.qzone.qq.com, all the the random queries
> domain seems to "legitimate".
> => The client ip addresses and the random subdomains are all in the
> whitelist, not in blacklist.
> 3) ISP didn't have any DNS firewall equipment ( very sad situation, but it
> was true ) to take over the response of "*.qzone.qq.com".
>
> In this weaker scenario,  it will be better if give recursive more
> information to directly answer queries from cache, and make recursive not to
> send/cache many subdomains query/response.
> Of course, we can defense the attack with professional operation, solve the
> problem very well. But there are also many more weaker recursive only run
> bind software, without any protection...
>
>
> Maybe they should upgrade.
>
> I will reconsider these problems of the proposal, make the improvement
> analysis on real-world caches before next step.
>
>
> Thanks!   However, I would really encourage you to step back from your
> proposal and see if there's a way to accomplish what you want without adding
> this resource record.   I think you can get the same results you want
> without SWILD, and the result will be a lot better for the DNS as a whole.
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email