On Oct 13, 2020, at 8:49 PM, Chris Adams <cma@cmadams.net> wrote:
Once upon a time, Eric Kuhnke <eric.kuhnke@gmail.com> said:
Considering that one can run an instance of an anycasted recursive nameserver, under heavy load for a very large number of clients, on a $600 1U server these days... I wonder what exactly the threat model is.
A customer forwarded one of these notices to us - looked like it's about recursive DNS cache poisoning.
In part, yes. More generally, it's about allowing spoofed-source packets in your front door, appearing to be from your own network, and what a bad actor could do with them. The probes from the experiment were harmless. But if there were malicious intent, this access could facilitate cache poisoning, depending on your DNS server configuration.
It's been a while since I looked closely, but I thought modern recursive DNS software was pretty resistant to that, and anyway, the real answer to that is DNSSEC.
It is. But DNSSEC requires support both on the side of the resolver (validation enabled) and the authoritative server (zone signed). Adoption is still far from universal. There are efforts to improve that, but it can't be your only hope, in its current state. But, perhaps more importantly, cache poisoning is not the only concern. Other vulnerable DNS (for example) configurations might be exploited by a single packet being received and acted on as "trusted".
I could be wrong, but getting a scary-sounding OMG SECURITY ALERT email
Crafting wording in an alert email such that it should both be taken seriously and it doesn't sound too dramatic is hard. We have gotten many positive responses. But we've also gotten some *meh*. In the end we made a choice about whether individual reach-out was important and worth the effort, ahead of future publication and presentation. We decided that it was. Many operators have agreed with us. But I get that not everyone will feel the same about it.
from some group I've never heard of (and haven't AFAIK engaged the community about their "new" attack, scans, or notices)
I suppose it depends on your definition of "engage the community". I think that's what we're doing right now. We're also no stranger to NANOG (though perhaps more of a lurker on the mailing list). But community is a much broader term. And anyway, there is some order to this whole thing, and broader announcements will come later. Cheers, Casey