On 3Oct 2006, at 2:21 PM, Alexander Gall wrote:
On Tue, 3 Oct 2006 05:58:28 -0400, Matt Larson <[EMAIL PROTECTED]> said:Can you point us to even one 4Kb response from an authoritative server?This one is close: ; <<>> DiG 9.4.0b1 <<>> @192.134.0.49 195.in-addr.arpa. any +dnssec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1806 ;; flags: qr aa rd; QUERY: 1, ANSWER: 19, AUTHORITY: 0, ADDITIONAL: 17 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: 195.in-addr.arpa. 172800 IN NS tinnie.arin.net. 195.in-addr.arpa. 172800 IN NS ns3.nic.fr. 195.in-addr.arpa. 172800 IN NS sec1.apnic.net. 195.in-addr.arpa. 172800 IN NS sec3.apnic.net. 195.in-addr.arpa. 172800 IN NS sunic.sunet.se. 195.in-addr.arpa. 172800 IN NS ns-ext.isc.org. 195.in-addr.arpa. 172800 IN NS ns-pri.ripe.net.
<smile>Can you now point to the remaining 34,493 other authoritative servers needed to launch the attack of the magnitude that Matt was referring to. (There are reverse-address-space entries that have an insane number of PTR RRs for virtual servers, you may find a fair number of those servers too)
</smile> On the topic:I support the document with the understanding that this is not a magic bullet. IMHO the document does not claim that.
I am not saying that Dean is incorrect. It is possible to use authoritative servers to launch attacks. Given sufficient amplification --which will be easier with DNSSEC deployed--, given sufficient authoritative servers, given sufficient bots those attacks can (shall?) be damaging. As Matt just 'doubted', the problem caused by open recursive servers is of another order of magnitude than all the other attacks (currently). For me the trade-off between patching this problem and having open-recursive servers available for troubleshooting is in the advantage of closing the open-recursive servers.
Obviously proper source origination of UDP is the answer. But even in the case of universal BCP38 deployment a big botnet with an appropriate control channel might be bursting away queries with valid source addresses to one specific host might generate significant problems.
I don't like that we are at the point where this document is needed, but I do consent.
--Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
PGP.sig
Description: This is a digitally signed message part
