|
In this newly released paper Randal Vaughn and Gadi Evron discuss the threat of Distributed Denial of Service (DDoS) attacks using recursive DNS name servers open to the world. The study is based on case studies of several attacked ISPs reported to have on a volume of 2.8Gbps. One reported event indicated attacks reaching as high as 10Gbps and used as many as 140,000 exploited name servers.
According to the paper, the general threat has been known for several years, the massive attacks seen recently and the abuse of extended DNS functionality is what makes these new attacks so dangerous.
The paper begins with an overall description of the attacks, utilizing UDP spoofing and IP packet fragmentation. Then it continues to a very detailed and technical description of how it all works.
In the conclusions the paper also discusses some possible solution suggestions.
Based on the knowledge we have received, the paper is a pre-release made in response to recent threats and lack of information available to the operational community—the paper was originally planned as an academic paper.
To obtain a full PDF copy of this paper click here.
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
We need to be careful in proposing a suggested solution.
Inclusive Namespace roots provide public resolvers for users whose ISPs are too stubborn or dumb to provide their users with choice. Customers of such ISPs can simply decide to use the public resolvers provided by the INS roots, like Public Root or ORSC.
Shutting off user choice by suggesting that ISPs block outbound 53/TCP, 53/UDP will take away that choice.
I’m sure that some ICANN synchophants will be happy about this and if I were the suspicious type, I’d say that this sudden “awareness” of a “severe security problem” that has been around for a long time may be planned by those who are becoming uncomfortable with the ever increasing number of people who are abandoning the ICANN root in favor of DNS Service Providers (DSPs) who provide a view of the entire internet and don’t impose non-related policies (UDRP) on domain registrants.
What better way to kill the INS than by putting up a security straw man and scaring people, especially ISPs, into taking away DNS choices from internet citizens. I am especially suspicious about this after seeing who was quoted in the recent MSNBC piece about the so-called “new” security risk that has “just been discovered”. His jihad against allowing internet citizens to have freedom to chose their DSP from among global choices is well known to all.
Watch out here - there may be more to this story than meets the eye…
I think the conspiracy theorising is a little over the top in the face of an actual multi-gigabit DDoS attack. TCP SYN flooding was a purely theoretical attack for a while there too before anyone actually exploited it maliciously. Such is the nature of the beast.
In any case, the suggested solution is not to block outbound DNS queries from rank-and-file hosts, but for DNS servers to offer recursive service only to those hosts considered “local”. Where this can’t be achieved by a configuration change to the DNS server, it could be achieved by firewalling the server.
That’s another aspect of the problem, and perhaps the more dangerous to internet freedom and that is demonizing all ORNs.
There is a legitimate reason for ORNs to exist. The reason is to allow users whose ISPs don’t support the INS to use it if they want.
Whats the difference between an ISP intercepting all 53/UDP and 53/TCP requests and forwarding them to its own resolver whose hints file contains the list of corrupt and ancient ICANN root servers and blacklisting the addresses of INS resolvers?
From the end-user’s point of view - nothing. They are still denied choice, one way or the other. Turning off all INS ORNs is closing off the only avenue some users have to access the inclusive namespace.