Attack Against DNS Root Servers
Has anyone been following the attack against the DNS root servers two weeks ago? Details.
I can't precisely explain why, but this feels like someone testing an attack capability.
For defense: it's long past time to implement source address validation in the DNS system.
Posted on December 15, 2015 at 12:19 AM
Allowing only TCP is not an option. The roots have to be the most interoperable servers of all.
The kind of encryption I think people are talking about - dnscurve was mentioned - is used to detect spoofed replies, but that's not the problem the roots need to solve. Even discounting the interoperability concerns, all client-server encryption does for server is increase packet sizes and CPU load. Since any client can generate a perfectly legitimate-seeming request, encrypting that request is of little value in protecting the server.
BCP 38 will help, but it won't solve it. One can still generate floods from zombie machines, and rate-limiting on the target servers is difficult to apply without breaking legitimate queries from busy servers.
DNSSEC (which doesn't suffer from those problems) is good for many things, but it increases somewhat spectacularly the potential for amplification attacks, by making some responses gigantic in comparison to the query that generated them.
It's a shame. DNS has proven astonishingly versatile for a system designed for a different kind of Internet, but securing it in its current form is going to be extremely difficult.
It really doesn't help that making substantial DNS changes takes a very long time. The EDNS0 extension, for example, is 16 years old and is almost universally accepted as a good thing (as well as being mandatory for DNSSEC); yet it still can't be completely relied upon. Servers have to have mechanisms to disable it when other servers misbehave, or are behind misbehaving firewalls.
Unfortunately, there seems to be a prevailing attitude that DNS is either a solved problem, a problem not worth solving, or (most frequently) someone else's problem. That's a pity, because the state of the art for distributed databases has moved on somewhat since 1987. We could do a lot better if we really wanted to.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.