A Quick Introduction to Response Rate Limiting | Internet Systems Consortium Knowledge Base
mardi 27 août 2013 à 11:20 CAFAI, le 27/08/2013 à 11:20
The Problem
DNS is easily used for reflected denial-of-service (DOS) attacks, with three factors combining to make it a popular choice.
UDP, which is commonly used for DNS traffic, was not designed with source validation in mind. Consequently BIND responds to packets with a forged source the same as it does to legitimate packets. An attacker can therefore send DNS queries forging an IP address of the victim as the source address, causing the DNS server to send the replies to the victim. This is a "reflected attack".
Most ISPs do not check the source address of packets that they send to ensure that the source address matches a network block managed by that ISP. This allows forged-address attacks to be launched from a large portion of the Internet.
Small DNS queries can generate large responses, allowing the attacker to send a lot less traffic than the victim receives, amplifying the attack. For example, an EDNS0 query for isc.org of type ANY is 36 bytes long (not counting the UDP, IP, and Ethernet headers) and triggers a response that is 3,576 bytes log (not counting UDP, IP, and Ethernet headers.) By reflecting, an attacker can cause a nearly 100x increase in the amount of traffic that they are directing at the victim and they can conceal the source of the attack as well.
A Solution
While we cannot know which source addresses are forged and which are not, we can look at the pattern of requests and responses and infer with a high degree of confidence when there is an attack. We can then use this information to throttle responses, cutting off the attack. Incoming queries are NOT throttled by RRL.
(Permalink)
The Problem
DNS is easily used for reflected denial-of-service (DOS) attacks, with three factors combining to make it a popular choice.
UDP, which is commonly used for DNS traffic, was not designed with source validation in mind. Consequently BIND responds to packets with a forged source the same as it does to legitimate packets. An attacker can therefore send DNS queries forging an IP address of the victim as the source address, causing the DNS server to send the replies to the victim. This is a "reflected attack".
Most ISPs do not check the source address of packets that they send to ensure that the source address matches a network block managed by that ISP. This allows forged-address attacks to be launched from a large portion of the Internet.
Small DNS queries can generate large responses, allowing the attacker to send a lot less traffic than the victim receives, amplifying the attack. For example, an EDNS0 query for isc.org of type ANY is 36 bytes long (not counting the UDP, IP, and Ethernet headers) and triggers a response that is 3,576 bytes log (not counting UDP, IP, and Ethernet headers.) By reflecting, an attacker can cause a nearly 100x increase in the amount of traffic that they are directing at the victim and they can conceal the source of the attack as well.
A Solution
While we cannot know which source addresses are forged and which are not, we can look at the pattern of requests and responses and infer with a high degree of confidence when there is an attack. We can then use this information to throttle responses, cutting off the attack. Incoming queries are NOT throttled by RRL.
(Permalink)