nanog mailing list archives

Re: DNS deluge for x.p.ctrc.cc

From: bmanning () vacation karoshi com
Date: Sat, 25 Feb 2006 08:41:01 +0000

] other cctld servers have seen what are effectively ddos.  rob thomas
] seems to have the most clue on this, so i hope this troll will entice
] him to speak.

Did someone say "troll?"  :)

Yes, this is a real problem.  These attacks have exceeded several
gigabits per second in size, and during one attack 122K DNS name
servers were abused as amplifiers.  Ouch!

This abuse can be mitigated.  Here are a few tips.


        <there has -GOT- to be a better name for this>

Limit recursion to trusted netblocks and customers.  Do not permit
your name servers to provide recursion for the world.  If you do,
you will contribute to one of these attacks.


        <recursion is a fundamental DNS design feature,
         restricting it to "walled gardens" cripples its usefullness>

Watch for queries to your name servers that ask for "ANY" related
to a DNS RR outside of the zones for which you are authoritative.
This DNS RR will be LARGE.


        <a valid concern, w/ the following caveat:  LARGE, relative
         to current traffic>

Limit UDP queries to 512 bytes.  This greatly decreases the
amplification affect, though it doesn't stop it.


        <limiting UDP to 512 has other, unwanted effects,
         edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
         is this really what is wanted?>

Scan your IP space for name servers that permit recursive queries.
It's amazing just how many of these name servers exist.


        <yup... again, a feature that has made the DNS as useful as
        it has become>


Refer to the following guides for some excellent insight and
suggestions.

   <http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf>
   <http://cc.uoregon.edu/cnews/winter2006/recursive.htm>
   <http://dns.measurement-factory.com/surveys/sum1.html>

Note we have our own Secure BIND Template which will help on the
BIND side of life.

   <http://www.cymru.com/Documents/secure-bind-template.html>

If you need assistance with any of this, have endured one of these
attacks, or have any other questions, please don't hesitate to ping
on us at team-cymru () cymru com.  We're here to assist!

Thanks!
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);


        ok, so i'm being a bit of a curmudgion here but just how,
        if we throttle DNS to the minimum suite for todays services,
        can we be expected to add new features/services?   grump grump grump...

-- (grumpy) bill

Current thread:

Re: DNS deluge for x.p.ctrc.cc, (continued)
- - Re: DNS deluge for x.p.ctrc.cc brett watson (Feb 24)
    - Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 24)
    - Re: DNS deluge for x.p.ctrc.cc Gadi Evron (Feb 24)
    - Re: DNS deluge for x.p.ctrc.cc brett watson (Feb 24)
- RE: DNS deluge for x.p.ctrc.cc Estes, Paul (Feb 24)
  - Re: DNS deluge for x.p.ctrc.cc Gadi Evron (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Rob Thomas (Feb 24)
  - Re: DNS deluge for x.p.ctrc.cc Stephen Stuart (Feb 24)
  - Re: DNS deluge for x.p.ctrc.cc Chris Adams (Feb 24)
    - Re: DNS deluge for x.p.ctrc.cc Jon Lewis (Feb 25)
  - Re: DNS deluge for x.p.ctrc.cc bmanning (Feb 25)
    - Re: DNS deluge for x.p.ctrc.cc Nicholas Suan (Feb 25)
    - Re: DNS deluge for x.p.ctrc.cc Rob Thomas (Feb 25)
    - Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 25)
    - Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
    - Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
    - Re: DNS deluge for x.p.ctrc.cc Jon Lewis (Feb 26)
    - Re: DNS deluge for x.p.ctrc.cc Joe Provo (Feb 25)
    - Re: DNS deluge for x.p.ctrc.cc Joe Abley (Feb 26)
    - Re: DNS deluge for x.p.ctrc.cc Christopher L. Morrow (Feb 26)
    - Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)

(Thread continues...)