Bugtraq mailing list archives
Re: recursive DNS servers DDoS as a growing DDoS problem
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 4 Apr 2006 11:06:13 -0400
Hello Anton,
This is feasible only for corporate networks where the allocations
are constant and change once in a few years.
It is not feasible in any ISP/Telco above a certain size. In fact,
considering the consolidation over the recent years it is not feasible
for most ISPs or Telcos.
In an ISP you will have to provision and reprovision the
nameserver ACLs on a daily basis to match your current customer
allocations and reload it like there is no tomorrow. One mistake in
provisioning and you will have a large chunk of customers shouting
down the support line why their internet does not work. It becomes
even more entertaining if you use RFC3258 or clustering to load
balance DNS traffic. In that case you often end up with a lottery
where one server replies, other servers deny or vice versa. Debugging
that is even more entertaining. Frankly, expecting any large ISP to
deploy anything like this is not realistic.
Are you sure this difficulty is due to the real problem at hand, or due to poorly designed/implemented software to manage DNS? Leaving a single ISP's recursive resolution open to the world is a minor disservice to the Internet community, but a *major* disservice to it's own customers. Cache poisoning really isn't that hard when you can dictate which records you want to poison and when you want to do it, from the outside. Especially with certain softwares' lack of source port randomization. An attacker can just wait until the next time a remotely exploitable IE hole comes out and then poison the records of a popular website, and *bam* your users are 0wned.
Using QoS to limit queries coming from the outside world can be done in a manner where it does not require any extra provisioning and modification to the nameserver config. On top of that, for most well designed large ISP/Telco DNS server deployments this is just a simple config change. Once it has been rolled out it maintains itself. After all, if your customers have no network access having or not having DNS is largely irrelevant.
Um... I guess I'm missing something. If it isn't difficult to limit _recursive_ query rates from the outside world, how would it be difficult to disallow them? This seems like an artifical limitation of the DNS software in use. With that said, I've never ran a very large DNS infrastructure, but I do know there's a lot of terrible DNS software out there... cheers, tim
Attachment:
signature.asc
Description: Digital signature
Current thread:
- RE: recursive DNS servers DDoS as a growing DDoS problem, (continued)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Jim Pingle (Apr 04)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Jim Pingle (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Erwan David (Apr 09)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Tim (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Tim (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Ross Wheeler (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 09)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Gadi Evron (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 09)