Preventing Use of Recursive Nameservers in Reflector Attacks
RFC 5358

Note: This ballot was opened for revision 06 and is now closed.

(Sam Hartman) Discuss

Discuss (2007-10-02 for -** No value found for 'p.get_dochistory.rev' **)
[This is a preliminary discuss; I reserve the right to add to it until the telechat on Thursday.
I wanted to get this issue filed as a discuss so people could think about it.]

The description of the attack in section 3 is sufficiently hard to
follow that I would have been unable to do so had it not been
presented in detail at the IAB workshop on unwanted traffic.  Start by
using less abbreviations and acronyms and see if that makes it clear
enough that it is easy to follow.

Paul Hoffman brought up a last call comment on the ietf list; I
believe this comment needs to be addressed.  I support discussing this
issue in the security considerations section.  I don't think we can
take a recommendation for or against using an open recursive name
server for roaming users; I don't see sufficient discussion to support
that either way.  However the recommendation in section 4 is worded in
such a way to allow organizations who have a need to do so to run open
recursive name servers.  I think that's fine and appropriate.  Please
add security considerations text to address Paul's issue without
making a recommendation about whether the practice is advisable.

Obviously factual discussion of the problems of that organizational
choice are appropriate.  Similarly, if you want to argue that my
reading of whether there is a consensus to recommend against this
practice exists I'll listen to your argument.

>The Security Considerations section for this document is much too
>narrow. It ignores one of the main reasons that many organizations
>purposely choose to provide recursive lookup to the public, namely for
>their own roaming users. Without an open, known-good nameserver at a
>fixed address, roaming users need to trust whatever is given to them
>by their ISP at the moment, and it is reasonable for organizations to
>consider this too large of a risk. Unless the organization has a way
>to tunnel DNS queries back to a non-recursive nameserver (such as
>through IPsec), having a recursive nameserver available increases the
>security of their roaming users.
>
>There are two major reasons for an organization to not want roaming
>users to trust locally-assigned DNS servers.
>
>- An attacker might have compromised the DHCP server to which the user
>conntect to point to a compromised DNS server. Although such an
>attacker can also cause the DHCP server to point to a compromised
>next-hop router, it is easier and less detectable for most attackers
>to compromise a DNS server than a router. There are plenty of examples
>where compromised DNS servers lead to spoofing and MITM attacks.
>
>- Some ISPs use DNS servers that purposely do not follow the same good
>practices that the organization uses. In particular, some ISPs have
>used bogus TLDs and name-lookup services to generate revenue.
>
>The Security Considerations section needs to deal with these issues,
>even if they do not change the advice given in section 4.

(Ron Bonica) Yes

(Jari Arkko) No Objection

(Ross Callon) No Objection

(Lisa Dusseault) No Objection

(Lars Eggert) No Objection

(Russ Housley) No Objection

Comment (2007-10-04 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
  Other ADs have already entered Discuss positions that cover my concerns.
  I'm confident that resolution of those positions will resolve my
  concerns.

(Chris Newman) No Objection

Comment (2007-10-04 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I support Tim's concern with terminology, and the gist of Paul Hoffman's
last call comment.

However, the key recommendation of this draft seems important and
appropriate.

The acronym "SOHO" is used without being expanded on first use.

(Jon Peterson) No Objection

(Tim Polk) (was No Record, Discuss) No Objection

(Mark Townsley) No Objection

(David Ward) No Objection

Magnus Westerlund No Objection

(Cullen Jennings) (was Discuss) No Record

Comment (2008-03-06)
No email
send info
The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. But given the word evil does not seem like it will show up in the final RFC, I don't think this matters.

I'm having a hard time finding the discussion leading to the consensus that this is the best design.  Let me separate this into a bunch of points for that I would like to talk about, and once we have discussed them, I will remove them or turn them into an actionable discuss. 

As has been pointed out in some emails, it seems like a reasonable assumption there will be plenty of large DNS records on authoritative servers without the attacker needing to create them. If this is not the case that there will be records larger than X, then the simple solution seems to be to not allow  records larger than X. Given this, I am very uncomfortable with the advice of turning off recursive name service for non authenticated clients. I am mostly uneasy with this because none of the schemes for authenticating a client look like they will meet a large percentage of the deployment use cases. 

Moving to the topic of using reflectors in dos attacks, in general I think we have seen three approaches to solving this: 1) block spoofed requests 2) return route checks, and 3) don't allow amplification. 

The advice of following BCP 38 is no doubt good advice but we have been recommending that for a very long time and have not made much progress. We could delve into why it is hard to do BCP 38 (even assuming all the equipment supports it) or why the people that need to deal with the pain of doing it do not have many incentives to actually do it but regardless of all that, I doubt that this document saying people should do BCP 38 will really up the rate of adoption of BCP 38 very much. That makes me wonder why this solution over other ones. This takes me on to return route checks.

The trivial return route check would be use TCP and clearly there is experience with this and it does not work thought some percentage of firewalls. Now we could argue about if the firewalls were misconfigured or not but what about a very pragmatic approach of for large  responses, trying a UDP based liveness check. I tried to find a record of discussion about this but could not. I'm curios to know if this ideas was considered and thrown out in favor of BCP 38. 

The final approach sounds very lame at first glance but would simply be to not allow large repossess that were say more than twice the size of the request and allow the client to pad out requests that the client knew would result in large responses. Again, I'm curios if any ideas were considered and discarded for BCP 38. 

Would some combination of any of these make sense?