| draft-ietf-dnsop-reflectors-are-evil-01.txt | draft-ietf-dnsop-reflectors-are-evil-02.txt | |||
|---|---|---|---|---|
| Network Working Group J. Damas | Network Working Group J. Damas | |||
| Internet-Draft ISC | Internet-Draft ISC | |||
| Expires: December 27, 2006 F. Neves | Expires: March 19, 2007 F. Neves | |||
| Registro.br | Registro.br | |||
| June 25, 2006 | September 15, 2006 | |||
| Preventing Use of Nameservers in Reflector Attacks | Preventing Use of Recursive Nameservers in Reflector Attacks | |||
| draft-ietf-dnsop-reflectors-are-evil-01.txt | draft-ietf-dnsop-reflectors-are-evil-02.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on December 27, 2006. | This Internet-Draft will expire on March 19, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This document describes the use of default configured recursive | This document describes the use of default configured recursive | |||
| nameservers as reflectors on DOS attacks. Recommended configuration | nameservers as reflectors on DOS attacks. Recommended configuration | |||
| as measures to mitigate the attack are given. | as measures to mitigate the attack are given. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Recommended Configuration . . . . . . . . . . . . . . . . . . . 4 | 3. Recommended Configuration . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 8 | Intellectual Property and Copyright Statements . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| Recently, DNS [RFC1034] has been named as a major factor in the | Recently, DNS [RFC1034] has been named as a major factor in the | |||
| generation of massive amounts of network traffic used in Denial of | generation of massive amounts of network traffic used in Denial of | |||
| Service (DoS) attacks. These attacks, called reflector attacks, are | Service (DoS) attacks. These attacks, called reflector attacks, are | |||
| not due to any particular flaw in the design of the DNS or its | not due to any particular flaw in the design of the DNS or its | |||
| implementations, asides perhaps the fact that DNS relies heavily on | implementations, asides perhaps the fact that DNS relies heavily on | |||
| UDP, the easy abuse of which is at the source of the problem. They | UDP, the easy abuse of which is at the source of the problem. They | |||
| have preferentially used DNS due to common default configurations | have preferentially used DNS due to common default configurations | |||
| that allow for easy use of public recursive nameservers that make use | that allow for easy use of open recursive nameservers that make use | |||
| of such a default configuration. | of such a default configuration. | |||
| In addition, due to the small query-large response potential of the | In addition, due to the small query-large response potential of the | |||
| DNS system it is easy to yield great amplification of the source | DNS system it is easy to yield great amplification of the source | |||
| traffic as reflected traffic towards the victims. | traffic as reflected traffic towards the victims. | |||
| DNS authority servers which do not provide recursion to clients can | DNS authority servers which do not provide recursion to clients can | |||
| also be used as amplifiers; however, the amplification potential is | also be used as amplifiers; however, the amplification potential is | |||
| greatly reduced when authority servers are used. It is also not | greatly reduced when authority servers are used. It is also not | |||
| practical to restrict access to authority servers to a subset of the | practical to restrict access to authority servers to a subset of the | |||
| skipping to change at page 3, line 46 | skipping to change at page 3, line 46 | |||
| 2. Problem Description | 2. Problem Description | |||
| Because most DNS traffic is stateless by design, an attacker could | Because most DNS traffic is stateless by design, an attacker could | |||
| start a DoS attack in the following way: | start a DoS attack in the following way: | |||
| 1. The attacker starts by configuring a record (LRECORD) on any zone | 1. The attacker starts by configuring a record (LRECORD) on any zone | |||
| he has access to (AZONE), normally with large RDATA and TTL. | he has access to (AZONE), normally with large RDATA and TTL. | |||
| 2. Taking advantage of clients (ZCLIENTS) on non-BCP38 networks, the | 2. Taking advantage of clients (ZCLIENTS) on non-BCP38 networks, the | |||
| attacker then crafts a query using the source address of their | attacker then crafts a query using the source address of their | |||
| target victim and sends it to a public recursive nameserver | target victim and sends it to a open recursive nameserver (ORNS). | |||
| (PRNS). | 3. Each ORNS proceeds with the resolution, caches the LRECORD and | |||
| 3. Each PRNS proceeds with the resolution, caches the LRECORD and | ||||
| finally sends it to the target. After this first lookup, access | finally sends it to the target. After this first lookup, access | |||
| to the authoritative nameservers for AZONE is normally no longer | to the authoritative nameservers for AZONE is normally no longer | |||
| necessary. The LRECORD will remain cached for the duration of | necessary. The LRECORD will remain cached for the duration of | |||
| the TTL at the PRNS even if the AZONE is corrected. | the TTL at the ORNS even if the AZONE is corrected. | |||
| 4. Cleanup of the AZONE might, depending on the implementation used | 4. Cleanup of the AZONE might, depending on the implementation used | |||
| in the PRNS, afford a way to clean the cached LRECORD from the | in the ORNS, afford a way to clean the cached LRECORD from the | |||
| PRNS. This would possibly involve queries luring the PRNS to | ORNS. This would possibly involve queries luring the ORNS to | |||
| lookup information for the same name that is being used in the | lookup information for the same name that is being used in the | |||
| amplification. | amplification. | |||
| Because the characteristics of the attack normally involve a low | Because the characteristics of the attack normally involve a low | |||
| volume of packets amongst all the kinds of actors besides the victim | volume of packets amongst all the kinds of actors besides the victim | |||
| (AZONE, ZCLIENTS, PRNS), it's unlikely any one of them would notice | (AZONE, ZCLIENTS, ORNS), it's unlikely any one of them would notice | |||
| their involvement based on traffic pattern changes. | their involvement based on traffic pattern changes. | |||
| Taking advantage of PRNS that support EDNS0 [RFC2671], the | Taking advantage of ORNS that support EDNS0 [RFC2671], the | |||
| amplification factor (response size / query size) could be around 80. | amplification factor (response packet size / query packet size) could | |||
| With this amplification factor a relatively small army of ZCLIENTS | be around 80. With this amplification factor a relatively small army | |||
| and PRNS could generate gigabits of traffic towards the victim. | of ZCLIENTS and ORNS could generate gigabits of traffic towards the | |||
| victim. | ||||
| Even if this attach is only really possible due to non-deployment of | Even if this attach is only really possible due to non-deployment of | |||
| BCP 38, this amplification attack is easier to leverage because for | BCP 38, this amplification attack is easier to leverage because for | |||
| historical reasons, out of times when the Internet was a much closer- | historical reasons, out of times when the Internet was a much closer- | |||
| knit community, some nameserver implementations have been made | knit community, some nameserver implementations have been made | |||
| available with default configurations that when used for recursive | available with default configurations that when used for recursive | |||
| nameservers made the server accessible to all hosts on the Internet. | nameservers made the server accessible to all hosts on the Internet. | |||
| For years this was a convenient and helpful configuration, enabling | For years this was a convenient and helpful configuration, enabling | |||
| wider availability of services. As this document aims to make | wider availability of services. As this document aims to make | |||
| skipping to change at page 5, line 25 | skipping to change at page 5, line 25 | |||
| The generic recommendation to nameserver operators is to use the | The generic recommendation to nameserver operators is to use the | |||
| means provided by the implementation of choice to provide recursive | means provided by the implementation of choice to provide recursive | |||
| name lookup service only to the intended clients. Client | name lookup service only to the intended clients. Client | |||
| authentication can be usually done in several ways: | authentication can be usually done in several ways: | |||
| o IP based authentication. Use the IP address of the sending host | o IP based authentication. Use the IP address of the sending host | |||
| and filter them through and Access Control List (ACL) to service | and filter them through and Access Control List (ACL) to service | |||
| only the intended clients. | only the intended clients. | |||
| o Use TSIG [RFC2845] signed queries to authenticate the clients. | o Incoming Interface based selection. Use the incoming interface | |||
| This is a less error prone method, which allows server operators | for the query as a discriminator to select which clients are to be | |||
| to provide service to clients who change IP address frequently | served. This is of particular applicability for SOHO devices, | |||
| (e.g. roaming clients). The current drawback of this method is | such as broadband routers that include embedded recursive name | |||
| that very few stub resolver implementations support TSIG signing | servers. | |||
| of outgoing queries. The effective use of this method implies in | ||||
| most cases running a local instance of a caching nameserver or | o Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to | |||
| forwarder that will be able to TSIG sign the queries and send them | authenticate the clients. This is a less error prone method, | |||
| on to the recursive nameserver of choice. | which allows server operators to provide service to clients who | |||
| change IP address frequently (e.g. roaming clients). The current | ||||
| drawback of this method is that very few stub resolver | ||||
| implementations support TSIG or SIG(0) signing of outgoing | ||||
| queries. The effective use of this method implies in most cases | ||||
| running a local instance of a caching nameserver or forwarder that | ||||
| will be able to TSIG sign the queries and send them on to the | ||||
| recursive nameserver of choice. | ||||
| In nameservers that do not need to be providing recursive service, | In nameservers that do not need to be providing recursive service, | |||
| for instance servers that are meant to be authoritative only, turn | for instance servers that are meant to be authoritative only, turn | |||
| recursion off completely. In general, it is a good idea to keep | recursion off completely. In general, it is a good idea to keep | |||
| recursive and authoritative services separate as much as practical. | recursive and authoritative services separate as much as practical. | |||
| This, of course, depends on local circumstances. | This, of course, depends on local circumstances. | |||
| 4. Acknowledgments | 4. Acknowledgments | |||
| Joe Abley, Andrew Sullivan | Joe Abley, Andrew Sullivan | |||
| skipping to change at page 6, line 23 | skipping to change at page 6, line 30 | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | |||
| RFC 2671, August 1999. | RFC 2671, August 1999. | |||
| [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. | [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. | |||
| Wellington, "Secret Key Transaction Authentication for DNS | Wellington, "Secret Key Transaction Authentication for DNS | |||
| (TSIG)", RFC 2845, May 2000. | (TSIG)", RFC 2845, May 2000. | |||
| [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( | ||||
| SIG(0)s)", RFC 2931, September 2000. | ||||
| 6.2. Informative References | 6.2. Informative References | |||
| [BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| Authors' Addresses | Authors' Addresses | |||
| Joao Damas | Joao Damas | |||
| Internet Systems Consortium, Inc. | Internet Systems Consortium, Inc. | |||
| End of changes. 13 change blocks. | ||||
| 27 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||