draft-ietf-dnsop-reflectors-are-evil-04.txt | draft-ietf-dnsop-reflectors-are-evil-05.txt | |||
---|---|---|---|---|
Network Working Group J. Damas | Network Working Group J. Damas | |||
Internet-Draft ISC | Internet-Draft ISC | |||
Intended status: Best Current F. Neves | Intended status: Best Current F. Neves | |||
Practice Registro.br | Practice Registro.br | |||
Expires: January 10, 2008 July 9, 2007 | Expires: June 5, 2008 December 3, 2007 | |||
Preventing Use of Recursive Nameservers in Reflector Attacks | Preventing Use of Recursive Nameservers in Reflector Attacks | |||
draft-ietf-dnsop-reflectors-are-evil-04.txt | draft-ietf-dnsop-reflectors-are-evil-05.txt | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on January 10, 2008. | This Internet-Draft will expire on June 5, 2008. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
Abstract | Abstract | |||
This document describes ways to prevent the use of default configured | This document describes ways to prevent the use of default configured | |||
recursive nameservers as reflectors in Denial of Service (DoS) | recursive nameservers as reflectors in Denial of Service (DoS) | |||
attacks. Recommended configuration as measures to mitigate the | attacks. Recommended configuration as measures to mitigate the | |||
attack are given. | attack are given. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Document Terminology . . . . . . . . . . . . . . . . . . . . . 3 | 2. Document Terminology . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Problem Description . . . . . . . . . . . . . . . . . . . . . . 3 | |||
4. Recommended Configuration . . . . . . . . . . . . . . . . . . . 4 | 4. Recommended Configuration . . . . . . . . . . . . . . . . . . . 5 | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | |||
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | |||
8.2. Informative References . . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 7 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 8 | Intellectual Property and Copyright Statements . . . . . . . . . . 8 | |||
1. Introduction | 1. Introduction | |||
skipping to change at page 3, line 48 | skipping to change at page 3, line 48 | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
3. Problem Description | 3. Problem Description | |||
Because most DNS traffic is stateless by design, an attacker could | Because most DNS traffic is stateless by design, an attacker could | |||
start a DoS attack in the following way: | start a DoS attack in the following way: | |||
1. The attacker starts by configuring a record (LRECORD) on any zone | 1. The attacker starts by configuring a record on any zone he has | |||
he has access to (AZONE), normally with large RDATA and TTL. | access to, normally with large RDATA and TTL. | |||
2. Taking advantage of clients (ZCLIENTS) on non-BCP38 networks, the | 2. Taking advantage of clients on non-BCP38 networks, the attacker | |||
attacker then crafts a query for LRECORD using the source address | then crafts a query using the source address of their target | |||
of their target victim and sends it to an open recursive | victim and sends it to an open recursive nameserver (ORNS). | |||
nameserver (ORNS). | 3. Each open recursive nameserver proceeds with the resolution, | |||
3. Each ORNS proceeds with the resolution, caches the LRECORD and | caches the record and finally sends it to the target. After this | |||
finally sends it to the target. After this first lookup, access | first lookup, access to the authoritative nameservers is normally | |||
to the authoritative nameservers for AZONE is normally no longer | no longer necessary. The record will remain cached for the | |||
necessary. The LRECORD will remain cached for the duration of | duration of the TTL at the open recursive nameserver even if it's | |||
the TTL at the ORNS even if the AZONE is corrected. | deleted from the zone. | |||
4. Cleanup of the AZONE might, depending on the implementation used | 4. Cleanup of the zone might, depending on the implementation used | |||
in the ORNS, afford a way to clean the cached LRECORD from the | in the open recursive nameserver, afford a way to clean the | |||
ORNS. This would possibly involve queries luring the ORNS to | cached record from the open recursive nameserver. This would | |||
possibly involve queries luring the open recursive nameserver to | ||||
lookup information for the same name that is being used in the | lookup information for the same name that is being used in the | |||
amplification. | amplification. | |||
Because the characteristics of the attack normally involve a low | Because the characteristics of the attack normally involve a low | |||
volume of packets amongst all the kinds of actors besides the victim | volume of packets amongst all the kinds of actors besides the victim, | |||
(AZONE, ZCLIENTS, ORNS), it's unlikely any one of them would notice | it's unlikely any one of them would notice their involvement based on | |||
their involvement based on traffic pattern changes. | traffic pattern changes. | |||
Taking advantage of ORNS that support EDNS0 [RFC2671], the | Taking advantage of open recursive nameserver that support EDNS0 | |||
amplification factor (response packet size / query packet size) could | [RFC2671], the amplification factor (response packet size / query | |||
be around 80. With this amplification factor a relatively small army | packet size) could be around 80. With this amplification factor a | |||
of ZCLIENTS and ORNS could generate gigabits of traffic towards the | relatively small army of clients and open recursive nameservers could | |||
victim. | generate gigabits of traffic towards the victim. | |||
With the increasing length of authoritative DNS responses derived | ||||
from deployment of DNSSEC and NAPTR as used in ENUM services, | ||||
authoritative servers will eventually be more useful as actors in | ||||
this sort of amplification attack. | ||||
Even if this attack is only really possible due to non-deployment of | Even if this attack is only really possible due to non-deployment of | |||
BCP 38, this amplification attack is easier to leverage because for | BCP 38, this amplification attack is easier to leverage because for | |||
historical reasons, from times when the Internet was a much closer- | historical reasons, from times when the Internet was a much closer- | |||
knit community, some nameserver implementations have been made | knit community, some nameserver implementations have been made | |||
available with default configurations that when used for recursive | available with default configurations that when used for recursive | |||
nameservers made the server accessible to all hosts on the Internet. | nameservers made the server accessible to all hosts on the Internet. | |||
For years this was a convenient and helpful configuration, enabling | For years this was a convenient and helpful configuration, enabling | |||
wider availability of services. As this document aims to make | wider availability of services. As this document aims to make | |||
skipping to change at page 4, line 51 | skipping to change at page 5, line 8 | |||
nameserver services and focus the delivery of services on the | nameserver services and focus the delivery of services on the | |||
intended audience of those services, be they a university campus, an | intended audience of those services, be they a university campus, an | |||
enterprise or an ISP's customers. The target audience also includes | enterprise or an ISP's customers. The target audience also includes | |||
operators of small network operators and private server managers who | operators of small network operators and private server managers who | |||
decide to operate nameservers with the aim of optimising their DNS | decide to operate nameservers with the aim of optimising their DNS | |||
service, as these are more likely to use default configurations as | service, as these are more likely to use default configurations as | |||
shipped by implementors. | shipped by implementors. | |||
4. Recommended Configuration | 4. Recommended Configuration | |||
From the description of the problem in the previous section it | ||||
follows that the solution to these sort of attacks is the wide | ||||
deployment of ingress filtering [BCP38] in routers to prevent use of | ||||
address spoofing as a viable course of action to prevent the attacks. | ||||
In situations were more complex network setups are in place, "Ingress | ||||
Filtering for Multihomed Network" [BCP84] maybe a useful additional | ||||
reference. | ||||
Nonetheless, the fact remains that DNS servers acting as open | ||||
recursive servers provide an easy means to obtain great rates of | ||||
amplification for attack traffic, requiring only a small amount of | ||||
traffic from the attack sources to generate a vast amount of traffic | ||||
towards the victim. | ||||
With the increasing length of authoritative DNS responses derived | ||||
from deployment of DNSSEC and NAPTR as used in ENUM services, | ||||
authoritative servers will eventually be more useful as actors in | ||||
this sort of amplification attack, stressing even more the need for | ||||
deployment of BCP 38. | ||||
In this section we describe the Best Current Practice for operating | In this section we describe the Best Current Practice for operating | |||
recursive nameservers. Following these recommendations would reduce | recursive nameservers. Following these recommendations would reduce | |||
the chances of having a given recursive nameserver be used for the | the chances of having a given recursive nameserver be used for the | |||
generation of an amplification attack. | generation of an amplification attack. | |||
The generic recommendation to nameserver operators is to use the | The generic recommendation to nameserver operators is to use the | |||
means provided by the implementation of choice to provide recursive | means provided by the implementation of choice to provide recursive | |||
name lookup service only to the intended clients. Client | name lookup service only to the intended clients. Client | |||
authentication can be usually done in several ways: | authorization can be usually done in several ways: | |||
o IP based authentication. Use the IP address of the sending host | o IP address based authorization. Use the IP source address of the | |||
and filter them through and Access Control List (ACL) to service | DNS queries and filter them through an Access Control List (ACL) | |||
only the intended clients. | to service only the intended clients. This is easily applied if | |||
the recursive name server's service area is a reasonably fixed IP | ||||
address range that is protected against external address spoofing, | ||||
usually the local network. | ||||
o Incoming Interface based selection. Use the incoming interface | o Incoming Interface based selection. Use the incoming interface | |||
for the query as a discriminator to select which clients are to be | for the query as a discriminator to select which clients are to be | |||
served. This is of particular applicability for SOHO devices, | served. This is of particular applicability for SOHO devices, | |||
such as broadband routers that include embedded recursive name | such as broadband routers that include embedded recursive name | |||
servers. | servers. | |||
o Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to | o Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to | |||
authenticate the clients. This is a less error prone method, | authenticate the clients. This is a less error prone method, | |||
which allows server operators to provide service to clients who | which allows server operators to provide service to clients who | |||
change IP address frequently (e.g. roaming clients). The current | change IP address frequently (e.g. roaming clients). The current | |||
drawback of this method is that very few stub resolver | drawback of this method is that very few stub resolver | |||
implementations support TSIG or SIG(0) signing of outgoing | implementations support TSIG or SIG(0) signing of outgoing | |||
queries. The effective use of this method implies in most cases | queries. The effective use of this method implies in most cases | |||
running a local instance of a caching nameserver or forwarder that | running a local instance of a caching nameserver or forwarder that | |||
will be able to TSIG sign the queries and send them on to the | will be able to TSIG sign the queries and send them on to the | |||
recursive nameserver of choice. | recursive nameserver of choice. | |||
o For mobile users use a local caching name server running on the | ||||
mobile device or use a Virtual Private Network to a trusted | ||||
server. | ||||
In nameservers that do not need to be providing recursive service, | In nameservers that do not need to be providing recursive service, | |||
for instance servers that are meant to be authoritative only, turn | for instance servers that are meant to be authoritative only, turn | |||
recursion off completely. In general, it is a good idea to keep | recursion off completely. In general, it is a good idea to keep | |||
recursive and authoritative services separate as much as practical. | recursive and authoritative services separate as much as practical. | |||
This, of course, depends on local circumstances. | This, of course, depends on local circumstances. | |||
Even with all these recommendations network operators should consider | ||||
deployment of ingress filtering [BCP38] in routers to prevent use of | ||||
address spoofing as a viable course of action. In situations where | ||||
more complex network setups are in place, "Ingress Filtering for | ||||
Multihomed Network" [BCP84] maybe a useful additional reference. | ||||
By default, nameservers SHOULD NOT offer recursive service to | By default, nameservers SHOULD NOT offer recursive service to | |||
external networks. | external networks. | |||
5. Security Considerations | 5. Security Considerations | |||
This document does not create any new security issues for the DNS | This document does not create any new security issues for the DNS | |||
protocol, it deals with a weakness in implementations. | protocol, it deals with a weakness in implementations. | |||
It's not excessive to repeat that, although recommended | ||||
configurations described in this document could alleviate the | ||||
problem, the only solution to source address spoofing problems is the | ||||
wide-scale deployment of Ingress Filtering to prevent use of spoofed | ||||
IP addresses [BCP38], [BCP84]. | ||||
6. Acknowledgments | 6. Acknowledgments | |||
The authors would like to acknowledge the helpful input and comments | The authors would like to acknowledge the helpful input and comments | |||
of Joe Abley, Olafur Gudmundsson, Pekka Savola, and Andrew Sullivan. | of Joe Abley, Olafur Gudmundsson, Pekka Savola, Andrew Sullivan and | |||
Tim Polk. | ||||
7. IANA Considerations | 7. IANA Considerations | |||
This document does not define a registry and does not require any | This document does not define a registry and does not require any | |||
IANA action. | IANA action. | |||
8. References | 8. References | |||
8.1. Normative References | 8.1. Normative References | |||
End of changes. 15 change blocks. | ||||
57 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |