Preventing Use of Recursive Nameservers in Reflector Attacks
Note: This ballot was opened for revision 06 and is now closed.
(Sam Hartman) Discuss
Discuss (2007-10-02 for -)
[This is a preliminary discuss; I reserve the right to add to it until the telechat on Thursday. I wanted to get this issue filed as a discuss so people could think about it.] The description of the attack in section 3 is sufficiently hard to follow that I would have been unable to do so had it not been presented in detail at the IAB workshop on unwanted traffic. Start by using less abbreviations and acronyms and see if that makes it clear enough that it is easy to follow. Paul Hoffman brought up a last call comment on the ietf list; I believe this comment needs to be addressed. I support discussing this issue in the security considerations section. I don't think we can take a recommendation for or against using an open recursive name server for roaming users; I don't see sufficient discussion to support that either way. However the recommendation in section 4 is worded in such a way to allow organizations who have a need to do so to run open recursive name servers. I think that's fine and appropriate. Please add security considerations text to address Paul's issue without making a recommendation about whether the practice is advisable. Obviously factual discussion of the problems of that organizational choice are appropriate. Similarly, if you want to argue that my reading of whether there is a consensus to recommend against this practice exists I'll listen to your argument. >The Security Considerations section for this document is much too >narrow. It ignores one of the main reasons that many organizations >purposely choose to provide recursive lookup to the public, namely for >their own roaming users. Without an open, known-good nameserver at a >fixed address, roaming users need to trust whatever is given to them >by their ISP at the moment, and it is reasonable for organizations to >consider this too large of a risk. Unless the organization has a way >to tunnel DNS queries back to a non-recursive nameserver (such as >through IPsec), having a recursive nameserver available increases the >security of their roaming users. > >There are two major reasons for an organization to not want roaming >users to trust locally-assigned DNS servers. > >- An attacker might have compromised the DHCP server to which the user >conntect to point to a compromised DNS server. Although such an >attacker can also cause the DHCP server to point to a compromised >next-hop router, it is easier and less detectable for most attackers >to compromise a DNS server than a router. There are plenty of examples >where compromised DNS servers lead to spoofing and MITM attacks. > >- Some ISPs use DNS servers that purposely do not follow the same good >practices that the organization uses. In particular, some ISPs have >used bogus TLDs and name-lookup services to generate revenue. > >The Security Considerations section needs to deal with these issues, >even if they do not change the advice given in section 4.
(Ron Bonica) Yes
(Jari Arkko) No Objection
(Ross Callon) No Objection
(Lisa Dusseault) No Objection
(Lars Eggert) No Objection
(Russ Housley) No Objection
Comment (2007-10-04 for -)
Other ADs have already entered Discuss positions that cover my concerns. I'm confident that resolution of those positions will resolve my concerns.
(Chris Newman) No Objection
Comment (2007-10-04 for -)
I support Tim's concern with terminology, and the gist of Paul Hoffman's last call comment. However, the key recommendation of this draft seems important and appropriate. The acronym "SOHO" is used without being expanded on first use.
(Jon Peterson) No Objection
(Tim Polk) (was No Record, Discuss) No Objection
(Mark Townsley) No Objection
(David Ward) No Objection
Magnus Westerlund No Objection
(Cullen Jennings) (was Discuss) No Record
The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. But given the word evil does not seem like it will show up in the final RFC, I don't think this matters. I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into a bunch of points for that I would like to talk about, and once we have discussed them, I will remove them or turn them into an actionable discuss. As has been pointed out in some emails, it seems like a reasonable assumption there will be plenty of large DNS records on authoritative servers without the attacker needing to create them. If this is not the case that there will be records larger than X, then the simple solution seems to be to not allow records larger than X. Given this, I am very uncomfortable with the advice of turning off recursive name service for non authenticated clients. I am mostly uneasy with this because none of the schemes for authenticating a client look like they will meet a large percentage of the deployment use cases. Moving to the topic of using reflectors in dos attacks, in general I think we have seen three approaches to solving this: 1) block spoofed requests 2) return route checks, and 3) don't allow amplification. The advice of following BCP 38 is no doubt good advice but we have been recommending that for a very long time and have not made much progress. We could delve into why it is hard to do BCP 38 (even assuming all the equipment supports it) or why the people that need to deal with the pain of doing it do not have many incentives to actually do it but regardless of all that, I doubt that this document saying people should do BCP 38 will really up the rate of adoption of BCP 38 very much. That makes me wonder why this solution over other ones. This takes me on to return route checks. The trivial return route check would be use TCP and clearly there is experience with this and it does not work thought some percentage of firewalls. Now we could argue about if the firewalls were misconfigured or not but what about a very pragmatic approach of for large responses, trying a UDP based liveness check. I tried to find a record of discussion about this but could not. I'm curios to know if this ideas was considered and thrown out in favor of BCP 38. The final approach sounds very lame at first glance but would simply be to not allow large repossess that were say more than twice the size of the request and allow the client to pad out requests that the client knew would result in large responses. Again, I'm curios if any ideas were considered and discarded for BCP 38. Would some combination of any of these make sense?