DNS Amplification and Open Resolvers

Various folk have been proposing to solve the DNS Amplification DDoS problem by closing down open resolvers.

As the informative videos at Team Cymru note amplification attacks require two things:

a) The ability to spoof packets

Currently about 14% of the Internet can spoof packets, a few years back it was 25%. Generally BCP38 is the document referred to, although I can imagine sometimes it is more complicated.

b) A protocol for which the first response packet is larger than the initial request

Currently about 25 million open resolvers are known.

It would seem natural that dealing with “b” would be a sensible solution to the problem. However consider the DNS request:

dig +edns=0 @ns4.google.com google.com any

This produces considerable amplification (query is 39 bytes, response is 612 bytes – x15) without using any recursive resolver. The server ns4.google.com is authoritative. Some authoritative servers also produce large responses for requests they shouldn’t receive (referrals). The answer with DNSSEC is 28 v 460 or x16 amplification because Google aren’t using DNSSEC for authoritative servers. CDC.GOV are mandated to use DNSSEC giving x78 amplification for the equivalent query which is better than used in most of the DDoS attacks.

Some authoritative servers have stopped answering “ANY” requests, but in general there is a large deployed body of servers which can perform DNS amplification on request. Switching off open resolvers is generally a case of correcting errors in configuration, changing authoritative name servers takes longer. DNSSEC and EDNS0 are making the opportunity for amplification from authoritative name servers worse.

DNS is not the only protocol where a response may be larger than the request, and having a response larger than a request is inherently a useful thing. DNS uses UDP for performance reasons, and the reason for EDNS0 is the recognition it is inherently useful to get the whole answer as quickly as possible.

For these reasons and others, even if the campaign to close down open resolvers is successful (and I have no objections to people tightening their DNS configurations), DNS based amplification attacks will not go away, let alone amplification attacks using other protocols. Indeed we may encourage the abusers to target resources such as “.GOV”, and core infrastructure name servers for these attacks, and I’m not sure that is what we want to achieve.

If not (b) open resolvers – then (a) – what is the impact of reducing the ability to spoof packets? Well spoofing has no legitimate uses, and makes certain classes of attack (including DNS poisoning) easier to do – since they can be done from a remote location rather than by intruding into the genuine path from client to server. So reducing this impacts no legitimate services, and makes the Internet marginally safer against certain other types of attack.

Reducing spoofing is not a cure all. If some bits of the Internet went “rogue” deliberately we would be vulnerable to similar attacks again, but currently we are fighting kids in basements, not large ISPs, Telecoms companies and routing engineers. On the other hand we know it may be achievable because it has been reduced substantially already. I don’t believe 14% represents some base amount that can’t be solved. A relatively small number of players are required to co-operate to resolve the issue, and keep it resolved (fewer than 25,000,000), and sanctions might be imposed by big players if they were motivated to address the issue more quickly.

Leave a Reply

Your email address will not be published. Required fields are marked *