As a matter of policy it is a bad idea to attempt to architect around
misconfigured systems.
This should probably be mentioned in threats but the only long term fix
here is for recursive DNS servers that accept unrestricted,
unauthenticated requests to have code in them to make sure they are not
doing this sort of thing.
From a tactical perspective amplified DNS attacks are vastly easier to
control than a random spoofed source attack, simply drop the traffic
from the offending sites which will in any case be seeing a heavy load.
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of
william(at)elan.net
Sent: Monday, February 27, 2006 10:46 AM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: [ietf-dkim] Threats Issue - Large DNS records make
servers targets for spoofed source amplification attacks abuse
There have been a lot of discussions going on in the last few
days at NANOG and other dns operations lists that are related
to issue of public recursive dns servers being used to
amplify an attacks:
http://www.gossamer-threads.com/lists/nanog/users/89657
http://lists.oarci.net/pipermail/dns-operations/2006-February/
thread.html
The general description of the problem is that bad guys are
sending spoofed udp packets to servers in a way so that the
servers would send data (to spoofed source) that is
considerably larger then the original request - thus the
amplification. For more information, you may want to read
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
In current case with DNS abuse documented above, most (almost
all) dns servers only have records that a small and so the
servers are not good targets for any significant
amplification. So attackers are basically poisoning recursive
nameservers with their own large data as a way to get them to
become good targets and good amplifiers - this has been quite
successful and is currently major issue for dns operations
and security folks.
Getting back to this group work - you are expecting to
introduce large DNS records as a mainstream for many dns
servers. This would make such servers a great target for use
in amplification attacks even if those servers are not
configured to do recursion. This is bad and potential for
such an attack and abuse for anyone using DKIM must be
documented and it must be made clear that servers with DKIM
records may become targets for use in DNS amplification
attacks. In fact the larger the record you put in dns, the
better target for such an attack it becomes!
Note that there is currently no good solution to this issue
for UDP protocols (most either do TCP-like session
establishment before sending large data or they are
engineered so that responses can be limited with ACLs to only
specified group of systems, i.e. local LAN in case of DHCP).
My personal view is that if there is a way to avoid
introducing large records into UDP one query-response
situation, that it absolutely must be done. So I would see as
best solution a replacement of public keys in dns with an
approach that uses a lot smaller fingerprints in DNS.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html