[ratelimits] RRL vs other approaches

Vernon Schryver vjs at rhyolite.com
Sat Feb 23 14:51:14 UTC 2013 

> > the subsequent udp queries you would prospectively receive following
> > a successful tcp session in the above scenario need not be truly sourced.
>
> This is true, but we shouldn't make the perfect the enemy of the
> merely good, nor look for a 'silver bullet'.  FYI, I haven't yet seen
> an attacker a) authenticate via TCP and then b) zorch the servers in
> question by spoofing the authenticated source IP; and even if an
> attacker chose to do so, other means of classifying and mitigating the
> attack traffic (such as RRL and other tools/techniques) should be
> utilized.

That you manage to "authenticate" some DNS requests from 10.2.3.4
using TCP, TSIG, or any other scheme IMPLIES NOTHING about other
UDP requests that claim to be from 10.2.3.4.

It is not the attacker that would "a) authenticate via TCP", but
the victim.  After the victim authenticates itself, it would be
wrong to trust the UDP/IP source address in the packets from the
attacker.

During real attacks, reflectors using RRL and SLIP see the victim
continually "a) authenticate via TCP" even as the bad guy continues
to "b) zorch the servers in question by spoofing the authenticated
source IP".

There is no way in the current DNS protocol to connect the
"authenticating" done with a TCP handshake to UDP packets that
happen to have the same IP source address.  DNS Cookies seems to
be a good way to do that but there are no known implementations of
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03
for either DNS clients or DNS servers.



> Disallowing ANY queries during an attack as a means of partial service
> recovery is also a legitimate reaction, if other methods fail to
> mitigate the attack or are not available.  One must understand the
> consequence of doing so, of course; but it shouldn't be ruled out
> entirely, it just shouldn't be a default stance.

That relies on the false assumption that ANY is a required or
universal aspect of DNS reflection DoS attacks.  In the real world
of DNS reflection attacks, ANY is neither required nor always used.

****** MANY REAL RELFECTION ATTACKS DO NOT USE any  *****

Besides, RRL deals with attackers that use ANY by "disallowing ANY
queries during an attack" (provided each valid qname is repeated more
than the threshold, which can be as low as 5 qps).  The basic idea of
RRL is to disallow not just ANY but whatever qtype is used (again
provided the qname is above the threshold).

(I was going to belabor NXDOMAIN and referral counting in RRL, but
that would be premature.)


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list