| draft-ietf-dnsop-reflectors-are-evil-05.txt | draft-ietf-dnsop-reflectors-are-evil-06.txt | |||
|---|---|---|---|---|
| Network Working Group J. Damas | Network Working Group J. Damas | |||
| Internet-Draft ISC | Internet-Draft ISC | |||
| Intended status: Best Current F. Neves | Intended status: BCP F. Neves | |||
| Practice Registro.br | Expires: March 5, 2009 Registro.br | |||
| Expires: June 5, 2008 December 3, 2007 | September 1, 2008 | |||
| Preventing Use of Recursive Nameservers in Reflector Attacks | Preventing Use of Recursive Nameservers in Reflector Attacks | |||
| draft-ietf-dnsop-reflectors-are-evil-05.txt | draft-ietf-dnsop-reflectors-are-evil-06.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on June 5, 2008. | This Internet-Draft will expire on March 5, 2009. | |||
| Copyright Notice | ||||
| Copyright (C) The IETF Trust (2007). | ||||
| Abstract | Abstract | |||
| This document describes ways to prevent the use of default configured | This document describes ways to prevent the use of default configured | |||
| recursive nameservers as reflectors in Denial of Service (DoS) | recursive nameservers as reflectors in Denial of Service (DoS) | |||
| attacks. Recommended configuration as measures to mitigate the | attacks. Recommended configuration as measures to mitigate the | |||
| attack are given. | attack are given. | |||
| Table of Contents | Table of Contents | |||
| skipping to change at page 4, line 7 | skipping to change at page 4, line 7 | |||
| 3. Problem Description | 3. Problem Description | |||
| Because most DNS traffic is stateless by design, an attacker could | Because most DNS traffic is stateless by design, an attacker could | |||
| start a DoS attack in the following way: | start a DoS attack in the following way: | |||
| 1. The attacker starts by configuring a record on any zone he has | 1. The attacker starts by configuring a record on any zone he has | |||
| access to, normally with large RDATA and TTL. | access to, normally with large RDATA and TTL. | |||
| 2. Taking advantage of clients on non-BCP38 networks, the attacker | 2. Taking advantage of clients on non-BCP38 networks, the attacker | |||
| then crafts a query using the source address of their target | then crafts a query using the source address of their target | |||
| victim and sends it to an open recursive nameserver (ORNS). | victim and sends it to an open recursive nameserver. | |||
| 3. Each open recursive nameserver proceeds with the resolution, | 3. Each open recursive nameserver proceeds with the resolution, | |||
| caches the record and finally sends it to the target. After this | caches the record and finally sends it to the target. After this | |||
| first lookup, access to the authoritative nameservers is normally | first lookup, access to the authoritative nameservers is normally | |||
| no longer necessary. The record will remain cached for the | no longer necessary. The record will remain cached for the | |||
| duration of the TTL at the open recursive nameserver even if it's | duration of the TTL at the open recursive nameserver even if it's | |||
| deleted from the zone. | deleted from the zone. | |||
| 4. Cleanup of the zone might, depending on the implementation used | 4. Cleanup of the zone might, depending on the implementation used | |||
| in the open recursive nameserver, afford a way to clean the | in the open recursive nameserver, afford a way to clean the | |||
| cached record from the open recursive nameserver. This would | cached record from the open recursive nameserver. This would | |||
| possibly involve queries luring the open recursive nameserver to | possibly involve queries luring the open recursive nameserver to | |||
| skipping to change at page 4, line 50 | skipping to change at page 4, line 50 | |||
| knit community, some nameserver implementations have been made | knit community, some nameserver implementations have been made | |||
| available with default configurations that when used for recursive | available with default configurations that when used for recursive | |||
| nameservers made the server accessible to all hosts on the Internet. | nameservers made the server accessible to all hosts on the Internet. | |||
| For years this was a convenient and helpful configuration, enabling | For years this was a convenient and helpful configuration, enabling | |||
| wider availability of services. As this document aims to make | wider availability of services. As this document aims to make | |||
| apparent, it is now much better to be conscious of ones own | apparent, it is now much better to be conscious of ones own | |||
| nameserver services and focus the delivery of services on the | nameserver services and focus the delivery of services on the | |||
| intended audience of those services, be they a university campus, an | intended audience of those services, be they a university campus, an | |||
| enterprise or an ISP's customers. The target audience also includes | enterprise or an ISP's customers. The target audience also includes | |||
| operators of small network operators and private server managers who | operators of small networks and private server managers who decide to | |||
| decide to operate nameservers with the aim of optimising their DNS | operate nameservers with the aim of optimising their DNS service, as | |||
| service, as these are more likely to use default configurations as | these are more likely to use default configurations as shipped by | |||
| shipped by implementors. | implementors. | |||
| 4. Recommended Configuration | 4. Recommended Configuration | |||
| In this section we describe the Best Current Practice for operating | In this section we describe the Best Current Practice for operating | |||
| recursive nameservers. Following these recommendations would reduce | recursive nameservers. Following these recommendations would reduce | |||
| the chances of having a given recursive nameserver be used for the | the chances of having a given recursive nameserver be used for the | |||
| generation of an amplification attack. | generation of an amplification attack. | |||
| The generic recommendation to nameserver operators is to use the | The generic recommendation to nameserver operators is to use the | |||
| means provided by the implementation of choice to provide recursive | means provided by the implementation of choice to provide recursive | |||
| skipping to change at page 6, line 19 | skipping to change at page 6, line 19 | |||
| Multihomed Network" [BCP84] maybe a useful additional reference. | Multihomed Network" [BCP84] maybe a useful additional reference. | |||
| By default, nameservers SHOULD NOT offer recursive service to | By default, nameservers SHOULD NOT offer recursive service to | |||
| external networks. | external networks. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document does not create any new security issues for the DNS | This document does not create any new security issues for the DNS | |||
| protocol, it deals with a weakness in implementations. | protocol, it deals with a weakness in implementations. | |||
| Deployment of SIG(0) transaction security should consider the caveats | ||||
| with SIG(0) computational expense as it uses public key cryptography | ||||
| rather than the symmetric keys used by TSIG. In addition, the | ||||
| identification of the appropriate keys needs similar mechanisms to | ||||
| those for deploying TSIG, or alternatively, the use of DNSSEC | ||||
| signatures (RRSIGs) over the KEY RRs if published in DNS. This will | ||||
| in turn require the appropriate management of DNSSEC trust anchors. | ||||
| 6. Acknowledgments | 6. Acknowledgments | |||
| The authors would like to acknowledge the helpful input and comments | The authors would like to acknowledge the helpful input and comments | |||
| of Joe Abley, Olafur Gudmundsson, Pekka Savola, Andrew Sullivan and | of Joe Abley, Olafur Gudmundsson, Pekka Savola, Andrew Sullivan and | |||
| Tim Polk. | Tim Polk. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document does not define a registry and does not require any | This document does not define a registry and does not require any | |||
| IANA action. | IANA action. | |||
| skipping to change at page 8, line 7 | skipping to change at page 8, line 7 | |||
| Av. das Nacoes Unidas, 11541, 7 | Av. das Nacoes Unidas, 11541, 7 | |||
| Sao Paulo, SP 04578-000 | Sao Paulo, SP 04578-000 | |||
| BR | BR | |||
| Phone: +55 11 5509 3511 | Phone: +55 11 5509 3511 | |||
| Email: fneves@registro.br | Email: fneves@registro.br | |||
| URI: http://registro.br/ | URI: http://registro.br/ | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2008). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | |||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | |||
| OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
| skipping to change at page 8, line 44 | skipping to change at line 323 | |||
| attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
| ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
| Acknowledgment | ||||
| Funding for the RFC Editor function is provided by the IETF | ||||
| Administrative Support Activity (IASA). | ||||
| End of changes. 8 change blocks. | ||||
| 15 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||