[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Mar 6 09:37:24 UTC 2013

On 03/05/2013 04:29 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>>> The paper says that RRL does well against "varying query attacks"
>>> for non-existent names or NXDOMAIN responses.  The problem with
>>> "varying query attacks" for valid names is that as far as the DNS
>>> server can determine, a "varying query attack" for valid names is
>>> the same as the request stream from a perfectly legitimate recursive
>>> resolver used by many stub resolvers.  Blocking or dampening
>>> legitimate responses to the recrusive resolvers of large ISPs would
>>> be unacceptable except for hobby DNS servers.
>> Yes, the attack looks like legitimate traffic, which is the reason why
>> it is hard to detect. You probably can only differentiate between legit
>> traffic and an attack because of the increased traffic load.
> Increased traffic can come from many legitimate causes.  For example,
> if a large ISP restarts some of its recursive resolvers, those resolvers
> temorarily increase their load because their caches will be empty.
> There will be also be increased load when an Internet outage is fixed.
> Second, we are not mitigating attacks on authoritative servers.  Attacks
> on authoritative servers matter, but are irrelevant here.  The many
> past DNS DoS reflection attacks that have overloaded the reflecting
> servers have been errors by attackers.
> To say what I tried to say before but was unclear, the problem is not
> to detect and mitigate attacks.  It is always easy to solve such
> problems if you ignore false positives and collateral damage.  Instead,
> the problem is to mitigate attacks without harming legitimate traffic.
> We must try to follow the doctor's oath to "First do no harm."

Thanks for the more detailed explanation and I agree with that.

In this thread I am thinking out loud what characteristics are there to
distinguish those more sophisticated attacks from legit traffic.
Increased (outbound) traffic load is one of this, but you are right that
it is too dangerous to assume that this is from an attack. It could very
well be that the outcome is that there are no clear distinguishable
characteristics between those attacks and legit traffic (which is an
outcome I don't like).

>>> I don't have words for the notion of blocking or dampening DNSSEC
>>> responses in the name of security.
>> Nobody is saying that.
> On the contrary, many people have said that, although they did not
> understand that they were saying it.  There have been many suggestions
> block or dampen based on response size.  Blocking or dampening based
> on response size implies blocking or dampening of DNSSEC, because
> DNSSEC responses are 5 to 30 times larger.

But only after you see a certain amount of similar responses. Speaking
for myself, I said we could consider adding weights to classification.
You interpret that as if I was saying we should block DNSSEC responses.
No, that is not what I said.

ANY queries will still trigger the largest responses, while they should
not occur frequently. It is much clearer to determine that a flood of
ANY queries is an attack than a flood of "various queries that trigger
reasonable amplification". Therefore, I can relate to the idea of adding
weights to the rrl classifications.

>> I think both "varying query attacks" and distributed attacks are serious
>> problems. In both cases the goal of the attacker is to maintain
>> undetected by the name server.
> No, the main goal of the attacker is to attack the victim.  Remaining
> undetected at the reflecting DNS server is at most a secondary goal.
> Solving the wrong problem is a serious and common error.  Turning off
> ANY requests is a nearby example.

Yes, first goal is to attack the victim, of course. Now the attacks
don't work anymore, because they were detected. So now they make attacks
that will attack the victim, because the new attacks remain undetected.

Best regards,

> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130306/153b1d25/attachment.pgp>

More information about the ratelimits mailing list