ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] Threats Issue - Large DNS records make servers targets for spoofed source amplification attacks abuse

2006-02-27 08:56:03
from [william(at)elan.net] [Permanent Link] 

There have been a lot of discussions going on in the last few days
at NANOG and other dns operations lists that are related to issue of
public recursive dns servers being used to amplify an attacks:
 http://www.gossamer-threads.com/lists/nanog/users/89657
 http://lists.oarci.net/pipermail/dns-operations/2006-February/thread.html

The general description of the problem is that bad guys are sending
spoofed udp packets to servers in a way so that the servers would send data (to spoofed source) that is considerably larger then the original request - thus the amplification. For more information, you may want 
to read http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf

In current case with DNS abuse documented above, most (almost all)
dns servers only have records that a small and so the servers are not
good targets for any significant amplification. So attackers are
basically poisoning recursive nameservers with their own large data
as a way to get them to become good targets and good amplifiers - this
has been quite successful and is currently major issue for dns operations and security folks. 

Getting back to this group work - you are expecting to introduce large
DNS records as a mainstream for many dns servers. This would make such
servers a great target for use in amplification attacks even if those
servers are not configured to do recursion. This is bad and potential
for such an attack and abuse for anyone using DKIM must be documented
and it must be made clear that servers with DKIM records may become
targets for use in DNS amplification attacks. In fact the larger the
record you put in dns, the better target for such an attack it becomes!
Note that there is currently no good solution to this issue for UDP protocols (most either do TCP-like session establishment before sending 
large data or they are engineered so that responses can be limited with
ACLs to only specified group of systems, i.e. local LAN in case of DHCP).
My personal view is that if there is a way to avoid introducing large records into UDP one query-response situation, that it absolutely must be done. So I would see as best solution a replacement of public keys in dns with an approach that uses a lot smaller fingerprints in DNS. 

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Core algorithm support/use, draft text v2, Eliot Lear
Next by Date:  Re: [ietf-dkim] Core algorithm support/use, draft text v2, Stephen Farrell
Previous by Thread:  [ietf-dkim] Core algorithm support/use, draft text v2, Dave Crocker
Next by Thread:  Re: [ietf-dkim] Threats Issue - Large DNS records make servers targets for spoofed source amplification attacks abuse, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]