spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: DNS load research

2005-03-24 09:52:52
from [Radu Hociung] [Permanent Link] 
Michael Hammer wrote:

On Wed, 23 Mar 2005 20:51:35 -0500, Radu Hociung <radu(_at_)ohmi(_dot_)org> 
wrote:



I was thinking some more about the scenario, and I think that the
following conclusion did not came across very well:

The severity of the DDOS is a quadratic function of the query limit
implemented by the spf checkers.

Each of the two multiplication factors are linear functions of the query
limit. Since they get multiplied, the overal result is proportional to
the square of the query limit.

Indeed, if the query limit that ohmi.org would do were 10 queries, the
numbers would become (L=limit):

Traffic magnification: (2 * L * 100) / 60 = 33.33
Time magnification: (200ms * L) / 50ms = 40
Total amplification: 33.33 * 40 = 1,333
Aggregate DNS traffic: 1,333*1Mbit/s = 1.33Gbps




Radu,

I guess I have a couple quibbles with your logic (I'm assuming your
calculations are correct). How many DNS servers are sitting on a Gig
Pipe? If the trunk coming into the datacenter is gig or better, how
many of the DNS servers have 10/100 ethernet connections rather than
Gig?
I'm not a 100% sure on the calculations either, and I was hoping that someone would go over them and do a sanity check. Hopefully not Scott-style, but more of an engineering check, where my assumptions are checked as well as my calculations and results. Perhaps David would do this ? :) Hint, hint, thank you in advance :)
It would also be nice to invite a DNS engineer to the discussion, but unfortunately I don't know any. 

I agree with you that very few DNS servers are sitting on Gigabit links.


It's great to do calculations but in the real world you would saturate
the connection on most (many?) DNS servers before you would come close
to your calculated number for bandwidth.
Saturating the link to the DNS server _is_ the problem. It means that many/most queries will be dropped (UDP is a send and forget protocol, without any checking if the packet was delivered, like TCP). Since most everything on the internet works using names, if those names cannot be resolved to IP addresses, nothing works.
There are a lot of services using the DNS infrastructure, and I would hazard a guess that even if only half of DNS queries fail, a lot of these services would be disrupted. That is pretty much as bad is it can be. The next worse thing to the internet becoming so useless would be if it didn't exist at all.
Without DNS, you can't browse to CNN, mail.yahoo.com, your online stock broker. You can't resolve VoIP calls, you can't sync your network's time to the atomic NTP servers, and so on. With only a fraction of DNS services being available, the disruption would be just as great.
Surely, once you've already surfed to CNN, you're good till the info in your local DNS cache expires, so maybe you won't see much of a slowdown. It may take a few hours for that info to expire, and then you're in the same boat as everyone else.
Saturating the DNS servers is the worst thing that can happen to the Internet, I think. When the pipes are saturated with non-DNS traffic, it would just take longer to transfer files, but when DNS is saturated, you can't even start the connections, because you don't know where to connect. 

Radu.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DNS Query Format, David MacQuigg
Next by Date:  SPF-compiling DNS Server, David MacQuigg
Previous by Thread:  Re: Re: DNS load research, Michael Hammer
Next by Thread:  RE: Re: DNS load research, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]