[Nottingham] NTP Amplification DDoS Attack... Continues...

Mike Cardwell nlug at lists.grepular.com
Fri Feb 21 09:54:43 UTC 2014 

* on the Fri, Feb 21, 2014 at 09:16:34AM +0000, Andy Smith wrote:

>> Must all new protocols be devised so that there is no opportunity for a
>> response size that is greater than the request data packet size? That
>> would be one fix but unfortunately wasteful for bandwidth :-(
> 
> It won't be possible to design all UDP protocols so that answers to
> requests can never be bigger than the request, as sometimes the
> answer you need is the answer you need and you can't make it
> smaller. e.g. You can't make some answers to DNS queries smaller
> than the query.

You could require that DNS requests are padded out to the maximum size
of a response. This isn't as wasteful as it sounds, because once a
response exceeds a certain size, you have to connect via TCP and
re-request it, at which point the handshake stops any spoofing.
That used to only be 512 bytes. I believe it is larger now though
because of EDNS (4KB maybe?)

Hmm. I've just had a thought... What if DNS servers were written
such that the first time they see a request from a particular
IP address, they respond with a "TRUNCATE", forcing the request
to be re-submitted via TCP, and only when it sees a TCP based
request, it should whitelist that IP for future UDP based
requests. That seems like it might help prevent DNS amplification
attacks, without having to modify the protocol.

> Certainly, all UDP protocols should be designed with the risk of
> spoofed source address in mind, however, and only allow large 
> responses where absolutely necessary.

And people who write software utilising these protocols should
always implement rate limiting.

> Likewise the applications using the protocol should default to a
> secure configuration where access to the potentially large responses
> is disabled by default and must be enabled on a case by case basis.
> For example, recursive DNS servers need to default to not offering
> recursion or even any queries at all, until configured to allow it.
> 
> Perhaps the most important thing is for all ISPs to implement BCP38:
> 
>     http://www.bcp38.info/
> 
> This would prevent any host spoofing a source address.

Tackling DDOS attacks would be *so* much easier if this was used
by everyone. It seems that the only way to get there would be to
force every ISP and data center to implement it, through
legislation. Don't implement it? Get cut off.

I'm guessing IPv6 doesn't help in any way for this?

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20140221/b7a022d9/attachment.pgp>

More information about the Nottingham mailing list