Great Circle Associates Firewalls
(April 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Denial of service attacks on Domain Name Servers (DNS) possible?
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Date: Thu, 28 Apr 94 17:18:51 -0400
To: firewalls @ GreatCircle . COM, namedroppers @ nic . ddn . mil
Cc: long-morrow @ CS . YALE . EDU

I'm aware that there was a bit of talk recently on improving DNS security
by using RSA (or similar) public key technology for authentication.

But has any thought (or effort) been given (or are there any current methods)
to protect DNS servers from denial of service attacks?  I would think (for a
number of reasons listed below) that domain nameservers would be particularly
vulnerable to such abuse.

Let me tell you how I got started thinking about this.  I was pondering the
problem that has come up recently about how some type of 'peer' [pun] pressure
could be put upon a site or access provider who was letting someone run amok
on the Internet (ala 'MAKE MONEY FAST' or 'GREEN CARD LOTTERY').  I began to
bluesky and thought that the best way was not via the current method of
flooding the abuser and their site admins with E-Mail or any other application
layer protocol (as these can be filtered out easily)  but an attack at the
transport or network layer would be the most damaging.  It would be best
to use a connectionless protocol to be truly devastating (the speed it takes
TCP to set up a new connection is probably reason enough to disqualify it).
So we are left with ICMP and UDP basically.  I've seen systems bombarded
by ping on the network before.  It is not a pretty sight.  But if I wanted
to impair (if not totally disable a site) I would want to go for the
jugular and strike at a service that would most affect a site, a service
that they couldn't do without.  Many sites run their nameservers in a DMZ
(on a bastion host), or at least behind a screening router protecting them
from the Internet.  And many of them block most UDP ports.  But if they run
a nameserver they have to let UDP port 53 in.  Also a few sites are totally
dependent on their provider (who runs their nameservice for them).

It would seem to be fairly trivial to write up a fairly small C program to send
UDP messages in rapid succession to port 53 on a machine anywhere on the
Internet.  Is there any protection against a sheer 'quantity' (ie., a
100MHz PowerPC machine blasting across a LAN->T1->Internet) denial of
service attack?  And while just filling a 512 byte datagram with junk
and aiming it at server port 53 may mildly disrupt a nameserver (until
it recognizes it as junk and discards it), filling in the DNS query fields
with actual values and making the nameserver do (hopefully somewhat
random) make-work is likely to make it churn a lot.  I've seen a nameserver
really banged into submission before (by accident, not a malicious attack).

One obvious method of trying to protect yourself from this type of attack
would be to have as many secondary nameservers for a domain as possible.  
Unfortunately, you can only list a finite number as being authoritative
(or the DNS reply message will be too large and will be truncated, right?
Which would be an error.) - it appears to be a max around 7 or 8 depending
on how many IP (interface) addresses are enclosed as well. 

You can set up a different set of internal nameservers which users can
use on the enterprise network (and you are likely to do this if you have
a corporate firewall anyway) so net life could continue reasonably well
internally.  But, potentially, all havoc could be taking place outside
the firewall (no E-Mail and possibly other services coming in) with your
nameservers effectively disabled.

And obviously you (or your Internet provider) can choke off such messages
at an appropriate router once the problem has become known and the site
identified.

But I'm interested in any defense mechanisms DNS may (or may not) have.

Comments?

ObDisclaimer:  I definitely don't advocate or endorse the use of a net
nuisance tool as described above for any purpose.

---
H. Morrow Long   Long-Morrow @
 CS .
 Yale .
 EDU   {harvard,decvax}!yale!Long-Morrow


Follow-Ups:
Indexed By Date Previous: Re: Wanted: firewall manager position description
From: Brad Passwaters <bjp @ is000796 . bell-atl . com>
Next: RE: Wanted: firewall manager position description
From: farsight @ clark . net
Indexed By Thread Previous: Re: SUMMARY: Dual Homed Attached Printers (PROBLEMS?)
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: Re: Denial of service attacks on Domain Name Servers (DNS) possible?
From: "Joseph W. Stroup" <nettech @ crl . com>

Google
 
Search Internet Search www.greatcircle.com