
A Speculation on DNS DDOS [video] - okket
https://ripe73.ripe.net/archives/video/1536/
======
webscaleizfun
Interesting idea, but then you are essentially forcing everyone to go through
their upstream provider or Google's DNS servers, since when DDOS attacks
occur, smaller networks won't be in your 8000 resolver whitelist.

Part of me thinks this is just the author building another wall, since now the
DDOS will just attack ISP DNS servers instead, and worse yet quite a few of
those compromised IoT devices are on those same ISPs networks, providing even
better connectivity & potential throughput compared to congested peering.

Perhaps we should be taking a different path, instead of letting Qualcomm,
Broadcom and ilk continue to build massive out of tree branches of the Linux
kernel and never mainline their changes, thus preventing effective long term
support for said hardware, we should seek to force them to properly mainline
their code so when the vendors using their chips drop support, all these
vulnerable IoT devices aren't permanently sitting there vulnerable.

Otherwise, the future is bleak for your smart toaster. Its likely gonna join a
botnet sooner or later, just a matter of time ultimately.

~~~
aexaey
> Otherwise, the future is bleak for your smart toaster

Well, no. Smart toaster is going to be just fine. And that's the core of the
problem here. Much like it is the case with polluting diesel cars, owners are
reasonable happy with their purchase and simply unaware of any problem
(until/unless product is recalled). And even being aware, there is very little
incentive for owners to address the issue of their property subtly
contributing to harming somebody else.

And same again with much-needed BCP-38. It adds very, very little value to the
ISP who implements it, so many never bother to. Yet less-then-universal roll-
out of BCP-38 hurts Internet as a whole.

------
mhandley
The idea Geoff presents, of whitelisting the source addresses of the 8000 or
so most frequently used recursive nameservers, and giving them priority
service, is a good one, and should help. However, something like 20% of the
Internet can still spoof source addresses. That 20% can spoof whitelisted DNS
server source addresses, so end up in the priority queue.

An interesting question is how many of the bots in these IOT-based botnets are
behind home NATs - if it's most of them, then even if their ISP allows
spoofing, the IOT device won't be able to spoof. However, it does make it all
the more important as IPv6 rolls out that BCP 38 is enforced.

------
metafunctor
The idea given in the talk is simple: keep a whitelist of known recursive name
servers who have behaved well in the past. Serve requests coming from these
known good IPs with a high priority. Serve all other requests with a lower
priority.

~~~
teddyh
Actually, he gives _two_ ideas, the second being that all resolvers should use
“NSEC aggressive caching” for DNSSEC signed zones, so compromised devices
can’t go around the whitelist from the first idea by using DNS resolvers as
proxies.

------
Vlakslcllell
After a few minutes, the video embedded in that page stops, stating "html5:
Video not properly encoded".

Direct link to the video: [https://ripe73.ripe.net/archive/video/Geoff_Huston-
A_Specula...](https://ripe73.ripe.net/archive/video/Geoff_Huston-
A_Speculation_on_DNS_DDOS-20161028-112925.mp4")

~~~
teddyh
That link is broken; fixed link:
[https://ripe73.ripe.net/archive/video/Geoff_Huston-
A_Specula...](https://ripe73.ripe.net/archive/video/Geoff_Huston-
A_Speculation_on_DNS_DDOS-20161028-112925.mp4)

