Options
paul vixie speaks on the recent dns ddos
if you run a dns server and have'nt been aware of this
you are probubly already an unwilling amplifier
externally run a
dig . NS @namserver
or use the sans tool to see if you're open for buisness
SANS Internet Storm Center; Cooperative Network Security Community - Internet SecurityDNS Test - isc
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
From: Paul Vixie
Date: Wed Jan 28 14:30:23 2009
List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>
> Pretty soon we need an RBL for DNS-oriented DDoS attacks.
in the classic sense, you're wrong. in a neoclassic sense: "maybe". let me
explain. the original RBL was designed to reject TCP/25 (SMTP) transactions
based on source address reputation. we had a false start where we blackholed
these addresses as destinations, figuring that if they couldn't hear our ACK
then we would never get into TCP with them. then we decided to reject inside
the SMTP server and that's what the world has settled on. but throughout, we
have been able to bind a reputation to an IP address and act in some way based
on that reputation because TCP more or less requires that a real IP address
be used. we're seeing cracks at the edges of this model now, because so many
core routers have login: cisco; password: cisco, and it's now trivial for any
spammer to inject BGP that either lights up unallocated space or cuts out a
piece of somebody else's allocated block. this makes it possible to very
temporarily and untraceably speak TCP from addresses that have no reputation
(if they're unallocated) or that have a good reputation (if they're cutouts).
DNS-oriented attacks are of a completely different kind. today's attacks were
precisely described in <http://www.icann.org/en/committees/security/sac004.txt>
(which wasn't news in october 2002 but somebody had to write it down so i did).
the important statement out of that 4-page document is: "Source addresses that
appear at Border or Interior connections are nonrepudiable by nature..." and
that statement bears on the question of RBL for DNS-oriented DDoS attacks since
the address we'd have to assign a reputation to is the victim, so all we can
do is make an attack worse (by denying service to the victim's real traffic.)
i've pondered whether a network reputation service based on morality rather
than behaviour could possibly work. in other words an RBL-like entity that
did not prevent attacks, but rather, which denied service to collaborators.
if someone claims they can't deploy BCP38 and if their network or nameserver
is then used as a launch point for spoofed packets toward reflectors and
amplifiers, then would anyone be willing to deny service to them -- to paint
them as having a negative reputation even though their "sin" is laziness or
cluelessness rather than malevolent intent? and if someone claims they can't
turn off open recursion and they get used as an amplifier, would anyone here
be willing to deny that recursive server access to their authority server, not
on the basis that it might attack them, but strictly to pressure an upgrade?
note, i'm speaking as a concerned internet citizen here, not as an ARIN
trustee or as ISC's president. i really want to know if folks would be
willing to shun eachother not on the basis of evil but rather complacency.
you are probubly already an unwilling amplifier
externally run a
dig . NS @namserver
or use the sans tool to see if you're open for buisness
SANS Internet Storm Center; Cooperative Network Security Community - Internet SecurityDNS Test - isc
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
From: Paul Vixie
Date: Wed Jan 28 14:30:23 2009
List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>
> Pretty soon we need an RBL for DNS-oriented DDoS attacks.
in the classic sense, you're wrong. in a neoclassic sense: "maybe". let me
explain. the original RBL was designed to reject TCP/25 (SMTP) transactions
based on source address reputation. we had a false start where we blackholed
these addresses as destinations, figuring that if they couldn't hear our ACK
then we would never get into TCP with them. then we decided to reject inside
the SMTP server and that's what the world has settled on. but throughout, we
have been able to bind a reputation to an IP address and act in some way based
on that reputation because TCP more or less requires that a real IP address
be used. we're seeing cracks at the edges of this model now, because so many
core routers have login: cisco; password: cisco, and it's now trivial for any
spammer to inject BGP that either lights up unallocated space or cuts out a
piece of somebody else's allocated block. this makes it possible to very
temporarily and untraceably speak TCP from addresses that have no reputation
(if they're unallocated) or that have a good reputation (if they're cutouts).
DNS-oriented attacks are of a completely different kind. today's attacks were
precisely described in <http://www.icann.org/en/committees/security/sac004.txt>
(which wasn't news in october 2002 but somebody had to write it down so i did).
the important statement out of that 4-page document is: "Source addresses that
appear at Border or Interior connections are nonrepudiable by nature..." and
that statement bears on the question of RBL for DNS-oriented DDoS attacks since
the address we'd have to assign a reputation to is the victim, so all we can
do is make an attack worse (by denying service to the victim's real traffic.)
i've pondered whether a network reputation service based on morality rather
than behaviour could possibly work. in other words an RBL-like entity that
did not prevent attacks, but rather, which denied service to collaborators.
if someone claims they can't deploy BCP38 and if their network or nameserver
is then used as a launch point for spoofed packets toward reflectors and
amplifiers, then would anyone be willing to deny service to them -- to paint
them as having a negative reputation even though their "sin" is laziness or
cluelessness rather than malevolent intent? and if someone claims they can't
turn off open recursion and they get used as an amplifier, would anyone here
be willing to deny that recursive server access to their authority server, not
on the basis that it might attack them, but strictly to pressure an upgrade?
note, i'm speaking as a concerned internet citizen here, not as an ARIN
trustee or as ISC's president. i really want to know if folks would be
willing to shun eachother not on the basis of evil but rather complacency.
rm -rf /
Comments
-
Options
msteinhilber
Member Posts: 1,480 ■■■■■■■■□□
Unrelated, but for some reason it annoys me that an individual such as Paul Vixie (president of ISC) would write to a list without using proper grammar (capitalization) - doesn't really bother me as much/if at all when it's your everyday joe on a message forum or list for some reason but when it's an organizations president I guess I hold my standards higher. -
Options
JDMurray
Admin Posts: 13,031 Admin
It appears that Vixie's grammar has gotten tab bit worse in the past six months. Compare the writing of the above post with this post from last June: EC2 and GAE means end of ip address reputation industry?
Maybe he was in a hurry and didn't take time to proof it.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray