Home page logo

bugtraq logo Bugtraq mailing list archives

Re: recursive DNS servers DDoS as a growing DDoS problem
From: Anton Ivanov <arivanov () sigsegv cx>
Date: Sun, 02 Apr 2006 08:40:51 +0100



I haven't heard anyone talk about requiring that users use their ISP's
DNS server.  Just that they should not be able to use any random DNS
server on the internet.

This is standard practice in Wireless and other ISPs which operate pay
as you go service (hotels, conferences, hotspots of all varieties and
aggregators that serve them). The reason is that people ran OpenVPN and
other VPN stacks on port udp/53 without logging in and paying.

Frankly - nothing but a knee jerk reaction.

DNS is one of the services that easiest to transparently proxy. The same
result could have been achieved if any traffic to udp/53 was redirected
to the local name server (at about the same performance cost as a filter
entry). At the same time people would have had the service working even
if they had a remote DNS server configured in for administrative reasons.

Similarly, as far as ISP servers are concerned it is possible to
mitigate the recursion amplification problem completely without denying
the service to a limited number of people outside the ISP who want to
query the ISP resolvers for debugging and other purposes.

All it takes is  to throttle traffic from the resovers to outside the
ISP network to a reasonably low value. Depending on the ISP this is
usually in the low Kbits. All it takes is a moderate amount of
competence in the ISP:

1. Resolvers and Authoritative nameservers must be separate and
authoritative nameservers must have recursion turned off. Otherwise
there is no way to throttle only recursive queries.

2. In a smaller ISP the nameservers themselves can get an aggregate of
the ISP routing table and have internal routes tagged accordingly so
that the DNS server can throttle them. No rocket science there, the
provisions are already available in every single OS in use as a DNS
server in ISPs/Telcos. All this requires is a moderate level of
competence in the person who has designed the service.

3. Similarly, a larger ISP which has more resources can isolate the
servers in something like a modified RFC2270 leaf network receiving
default + local instead of default only and do the same on the router in
front of them. Once again all this requires is the person who has done
the DNS design to possess some moderate level of network competence
instead of engaging in massive clusterf^Hing.

4. While implementing both 2 and 3 costs money both of them save
resources so on the balance of things they are worth it even without
getting into the aspects of mitigating DDOS attacks. They are not that
hard to implement either.



A. R. Ivanov
E-mail:  aivanov () sigsegv cx
WWW:     http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n () sigsegv cx>
    Fingerprint: C824 CBD7 EE4B D7F8 5331  89D5 FCDA 572E DDE5 E715


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]