[ unthreaded to encourage discussion ]
On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
Nameservers could incorporate poison detection...
Listen on 200 random fake ports (in addition to the true query ports); if a response ever arrives at a fake port, then it must be an attack, read the "identified" attack packet, log the attack event, mark the RRs mentioned in the packet as "poison being attempted" for 6 hours; for such domains always request and collect _two_ good responses (instead of one), with a 60 second timeout, before caching a lookup.
The attacker must now guess nearly 64-bits in a short amount of time, to be successful. Once a good lookup is received, discard the normal TTL and hold the good answer cached and immutable, for 6 hours (_then_ start decreasing the TTL normally).
Is there any reason which I'm too far down the food chain to see why that's not a fantastic idea? Or at least, something inspired by it?
There's a ton of stuff that you can do, I talked a bit about this kind of solution several days ago, see <200807241335.m6ODZpfo097197@aurora.sol.net>. The problem is mainly that this is reactive, and primarily applicable to this attack because it's a brute-force. The next attack might be more elegant. Designing in this sort of "protection" is good AND bad, because on one hand, you do mostly solve the problem, and that's good, but you also encourage people to think of the problem as "fixed" or "my server is not vulnerable," when the only real way to protect against the *next* attack is to make sure that the data is valid, so that's DNSSEC. There are actually more specifically useful things that you can do to mitigate particular aspects of this attack, except that talking about them will also point to some risks that I don't believe have been made public, and I'm going to do my part to keep it that way, at least for a bit longer. The short form, though, is that if you sit there and try to manufacture artificial protection against each new attack as it develops, you will end up with this Rube Goldberg contraption to protect your nameserver from various attacks, and who knows what will break it. View these as very short-term fixes, rather than a correction of the underlying issue. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.