Home page logo
/

nanog logo nanog mailing list archives

Re: DNS deluge for x.p.ctrc.cc
From: Joe Abley <jabley () isc org>
Date: Sun, 26 Feb 2006 12:02:38 -0500



On 25-Feb-2006, at 03:41, bmanning () vacation karoshi com wrote:

Limit UDP queries to 512 bytes.  This greatly decreases the
amplification affect, though it doesn't stop it.

        <limiting UDP to 512 has other, unwanted effects,
         edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
         is this really what is wanted?>

Expanding on this slightly, since I think this merits more discussion -- if there was widespread filtering of 53/udp packets to 512 bytes, I can see two consequences:

1. A temporary decrease in attack traffic: the malware authors will adapt, and the floods will continue except with smaller packets. For attacks launched from drones, the amplification arguably isn't as important to the attacker as it might be for attacks which have single sources.

2. In future, increased use of things like DNSSEC, dynamic updates and IPv6 (with attendant AAAA records) are going to make legitimate, EDNS0, large 53/udp packets more common, and crippling the transport for EDNS0 is going to cause migraines for helpdesks across the world.

As a temporary mitigation tool today, when the volume of legitimate, large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets might *sound* reasonable. However, we all know how permanent temporary filters can be. Crippling EDNS0 transport in the future seems like a very high price to pay for what might be a very temporary, short-term reduction in attack traffic.


Joe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]