| draft-ietf-dnsop-reflectors-are-evil-00.txt | draft-ietf-dnsop-reflectors-are-evil-01.txt | |||
|---|---|---|---|---|
| Network Working Group J. Damas | Network Working Group J. Damas | |||
| Internet-Draft ISC | Internet-Draft ISC | |||
| Expires: November 18, 2006 F. Neves | Expires: December 27, 2006 F. Neves | |||
| Registro.br | Registro.br | |||
| May 17, 2006 | June 25, 2006 | |||
| Preventing Use of Nameservers in Reflector Attacks | Preventing Use of Nameservers in Reflector Attacks | |||
| draft-ietf-dnsop-reflectors-are-evil-00.txt | draft-ietf-dnsop-reflectors-are-evil-01.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on November 18, 2006. | This Internet-Draft will expire on December 27, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This document describes the use of default configured recursive name | This document describes the use of default configured recursive | |||
| servers as reflectors on DOS attacks. Recommended configuration as | nameservers as reflectors on DOS attacks. Recommended configuration | |||
| measures to mitigate the attack are given. | as measures to mitigate the attack are given. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Recommended Configuration . . . . . . . . . . . . . . . . . . . 4 | 3. Recommended Configuration . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 8 | ||||
| 1. Introduction | 1. Introduction | |||
| Recently, DNS [RFC1034] has been named as a major factor in the | Recently, DNS [RFC1034] has been named as a major factor in the | |||
| generation of massive amounts of network traffic used in Denial of | generation of massive amounts of network traffic used in Denial of | |||
| Service (DoS) attacks. These attacks, called reflector attacks, | Service (DoS) attacks. These attacks, called reflector attacks, are | |||
| while not being due to any particular flaw in the design of the DNS | not due to any particular flaw in the design of the DNS or its | |||
| or its implementations, have preferentially used DNS due to common | implementations, asides perhaps the fact that DNS relies heavily on | |||
| default configurations that allow for easy use of public recursive | UDP, the easy abuse of which is at the source of the problem. They | |||
| name servers that make use of such a default configuration. | have preferentially used DNS due to common default configurations | |||
| that allow for easy use of public recursive nameservers that make use | ||||
| of such a default configuration. | ||||
| In addition, due to the small query-large response potential of the | In addition, due to the small query-large response potential of the | |||
| DNS system it is easy to yield great amplification of the source | DNS system it is easy to yield great amplification of the source | |||
| traffic as reflected traffic towards the victims. | traffic as reflected traffic towards the victims. | |||
| DNS authority servers which do not provide recursion to clients can | ||||
| also be used as amplifiers; however, the amplification potential is | ||||
| greatly reduced when authority servers are used. It is also not | ||||
| practical to restrict access to authority servers to a subset of the | ||||
| Internet, since their normal operation relies on them being able to | ||||
| serve a wide audience, and hence the opportunities to mitigate the | ||||
| scale of an attack by modifying authority server configurations are | ||||
| limited. This document's recommendations are concerned with | ||||
| recursive nameservers only. | ||||
| In this document we describe the characteristics of the attack and | In this document we describe the characteristics of the attack and | |||
| recommend DNS server configurations that alleviate the problem, while | recommend DNS server configurations that specifically alleviate the | |||
| pointing to the only truly real solution to the problem, the wide- | problem described, while pointing to the only truly real solution, | |||
| scale deployment of Ingress Filtering to prevent use of spoofed IP | the wide-scale deployment of ingress filtering to prevent use of | |||
| addresses [BCP38]. | spoofed IP addresses [BCP38]. | |||
| 2. Problem Description | 2. Problem Description | |||
| Because of the fact that most of the DNS traffic is stateless by | Because most DNS traffic is stateless by design, an attacker could | |||
| design an attacker could make use of the following scenario to start | start a DoS attack in the following way: | |||
| a DOS attack using DNS packets: | ||||
| 1. The attacker starts by configuring a record (LRECORD) on an | 1. The attacker starts by configuring a record (LRECORD) on any zone | |||
| undistinct zone he has access to (AZONE), normally with large | he has access to (AZONE), normally with large RDATA and TTL. | |||
| RDATA and TTL. | ||||
| 2. Taking advantage of clients (ZCLIENTS) on non-BCP38 networks, the | 2. Taking advantage of clients (ZCLIENTS) on non-BCP38 networks, the | |||
| attacker then crafts a query using the source address of their | attacker then crafts a query using the source address of their | |||
| target victim and sends it to a Public Recursive Name Server | target victim and sends it to a public recursive nameserver | |||
| (PRNS). | (PRNS). | |||
| 3. The PRNS proceeds with the resolution, caches the LRECORD and | 3. Each PRNS proceeds with the resolution, caches the LRECORD and | |||
| finally sends it to the target. After this first packet, access | finally sends it to the target. After this first lookup, access | |||
| to the authoritative name servers for AZONE is normally no longer | to the authoritative name servers for AZONE is normally no longer | |||
| necessary. The LRECORD will remain cached for the duration of | necessary. The LRECORD will remain cached for the duration of | |||
| the TTL at the PRNS even if the AZONE is corrected. | the TTL at the PRNS even if the AZONE is corrected. | |||
| 4. Cleanup of the AZONE might, depending on the implementation used | 4. Cleanup of the AZONE might, depending on the implementation used | |||
| in the PRNS, afford a way to clean the cached LRECORD from the | in the PRNS, afford a way to clean the cached LRECORD from the | |||
| PRNS. | PRNS. This would possibly involve queries luring the PRNS to | |||
| lookup information for the same name that is being used in the | ||||
| amplification. | ||||
| Because the characteristics of the attack normally use a low volume | Because the characteristics of the attack normally involve a low | |||
| of packets on all the kinds of actors besides the victim (AZONE, | volume of packets amongst all the kinds of actors besides the victim | |||
| ZCLIENTS, PRNS), it's unlikely any one of them would notice their | (AZONE, ZCLIENTS, PRNS), it's unlikely any one of them would notice | |||
| involvement based on traffic pattern changes. | their involvement based on traffic pattern changes. | |||
| Taking advantage of PRNS that support EDNS0 [RFC2671], the | Taking advantage of PRNS that support EDNS0 [RFC2671], the | |||
| amplification factor (response size / query size) could be around 80. | amplification factor (response size / query size) could be around 80. | |||
| With this amplification factor a relatively small army of ZCLIENTS | With this amplification factor a relatively small army of ZCLIENTS | |||
| and PRNS could generate gigabits of traffic towards the targetted | and PRNS could generate gigabits of traffic towards the victim. | |||
| victim. | ||||
| This amplification attack is possible because for historical reasons, | Even if this attach is only really possible due to non-deployment of | |||
| out of times when the Internet was a much closer-knit community, some | BCP 38, this amplification attack is easier to leverage because for | |||
| name server implementations have been made available with default | historical reasons, out of times when the Internet was a much closer- | |||
| configurations that when used for recursive name servers made the | knit community, some nameserver implementations have been made | |||
| server accessible to all hosts on the Internet. | available with default configurations that when used for recursive | |||
| nameservers made the server accessible to all hosts on the Internet. | ||||
| For years this was a convenient and helpful configuration, enabling | For years this was a convenient and helpful configuration, enabling | |||
| wider availability of services. As the subject of this document | wider availability of services. As this document aims to make | |||
| tries to make apparent, it is now much better to be conscious of ones | apparent, it is now much better to be conscious of ones own | |||
| own name server services and focus the delivery of services on the | nameserver services and focus the delivery of services on the | |||
| intended audience of those services, may them be a University Campus, | intended audience of those services, be they a university campus, an | |||
| an Enterprise or an ISP's customers. The authors also want to draw | enterprise or an ISP's customers. The authors also want to draw the | |||
| the attention of small network operators and private server managers | attention of small network operators and private server managers who | |||
| who decide to operate name servers with the aim of optimizing their | decide to operate nameservers with the aim of optimising their DNS | |||
| DNS service, as these are more likely to use default configurations | service, as these are more likely to use default configurations as | |||
| as shipped by implementors. | shipped by implementors. | |||
| 3. Recommended Configuration | 3. Recommended Configuration | |||
| From the description of the problem in the previous section it | From the description of the problem in the previous section it | |||
| follows that the solution to this sort of attacks is the wide | follows that the solution to this sort of attacks is the wide | |||
| deploying of ingress filtering in routers to prevent use of address | deployment of ingress filtering [BCP38] in routers to prevent use of | |||
| spoofing as a viable course of action to elicit the attacks. | address spoofing as a viable course of action to elicit the attacks. | |||
| Nonetheless, the fact remains that DNS servers acting as open | Nonetheless, the fact remains that DNS servers acting as open | |||
| recursive servers provide an easy means to obtain great rates of | recursive servers provide an easy means to obtain great rates of | |||
| amplification for attack traffic, requiring only a small amount of | amplification for attack traffic, requiring only a small amount of | |||
| traffic from the attack sources to generate a vast amount of traffic | traffic from the attack sources to generate a vast amount of traffic | |||
| towards the victim. | towards the victim. | |||
| The authors also want to note that with the increasing length of | ||||
| authoritative DNS responses derived from deployment of DNSSEC and | ||||
| NAPTR as used in ENUM services, authoritative servers will eventually | ||||
| be more useful as actors in this sort of amplification attack, | ||||
| stressing even more the need for deployment of BCP 38. | ||||
| In this section we describe the Current Best Practice for operating | In this section we describe the Current Best Practice for operating | |||
| recursive name servers. Following these recommendations would reduce | recursive name servers. Following these recommendations would reduce | |||
| the chances of having a given recursive name server be used for the | the chances of having a given recursive name server be used for the | |||
| generation of an amplification attack. | generation of an amplification attack. | |||
| The generic recommendation to name server operators is to use the | The generic recommendation to name server operators is to use the | |||
| means provided by the implementation of choice to provide recursive | means provided by the implementation of choice to provide recursive | |||
| name lookup service only to the intended clients. Client | name lookup service only to the intended clients. Client | |||
| authentication can be usually done in several ways: | authentication can be usually done in several ways: | |||
| o IP based authentication. Use the IP address of the sending host | o IP based authentication. Use the IP address of the sending host | |||
| and filter them through and Access Control List (ACL) to service | and filter them through and Access Control List (ACL) to service | |||
| only the intended clients. | only the intended clients. | |||
| o Use TSIG [RFC2845]signed queries to authenticate the clients. | o Use TSIG [RFC2845]signed queries to authenticate the clients. | |||
| This is a less error prone method, which allows server operators | This is a less error prone method, which allows server operators | |||
| to provide service to clients who change IP address frequently | to provide service to clients who change IP address frequently | |||
| (eg. roaming clients). The current drawback of this method is | (e.g. roaming clients). The current drawback of this method is | |||
| that very few stub resolver implementations support TSIG signing | that very few stub resolver implementations support TSIG signing | |||
| of outgoing queries. The effective use of this method implies in | of outgoing queries. The effective use of this method implies in | |||
| most cases running a local instance of a caching nameserver or | most cases running a local instance of a caching nameserver or | |||
| forwarder that will be able to TSIG sign the queries and send them | forwarder that will be able to TSIG sign the queries and send them | |||
| on to the recursive name server of choice. | on to the recursive name server of choice. | |||
| 4. Security Considerations | In nameservers that do not need to be providing recursive service, | |||
| for instance servers that are meant to be authoritative only, turn | ||||
| recursion off completely. In general, it is a good idea to keep | ||||
| recursive and authoritative services separate as much as practical. | ||||
| This, of course, depends on local circumstances. | ||||
| 4. Acknowledgments | ||||
| Joe Abley, Andrew Sullivan | ||||
| 5. Security Considerations | ||||
| This document does not create any new security issues for the DNS | This document does not create any new security issues for the DNS | |||
| protocol. | protocol. | |||
| It's not excessive to repeat that, although recommended | It's not excessive to repeat that, although recommended | |||
| configurations described in this document could alleviate the | configurations described in this document could alleviate the | |||
| problem, the only solution to all kinds of source address spoofing | problem, the only solution to all kinds of source address spoofing | |||
| problems is the wide-scale deployment of Ingress Filtering to prevent | problems is the wide-scale deployment of Ingress Filtering to prevent | |||
| use of spoofed IP addresses [BCP38]. | use of spoofed IP addresses [BCP38]. | |||
| 5. References | 6. References | |||
| 5.1. Normative References | 6.1. Normative References | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | |||
| RFC 2671, August 1999. | RFC 2671, August 1999. | |||
| [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. | [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. | |||
| Wellington, "Secret Key Transaction Authentication for DNS | Wellington, "Secret Key Transaction Authentication for DNS | |||
| (TSIG)", RFC 2845, May 2000. | (TSIG)", RFC 2845, May 2000. | |||
| 5.2. Informative References | 6.2. Informative References | |||
| [BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| Authors' Addresses | Authors' Addresses | |||
| Joao Damas | Joao Damas | |||
| Internet Systems Consortium, Inc. | Internet Systems Consortium, Inc. | |||
| 950 Charter Street | 950 Charter Street | |||
| End of changes. 25 change blocks. | ||||
| 59 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||