
A Deep Dive into DNS Packet Sizes - thedg
https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/
======
hueving
It's sort of pathetic that our answer to trying to stop DDoS amplification
attacks is to cripple public UDP services. It shouldn't be acceptable for an
ISP to originate spoofed packets. There is absolutely no excuse for it, yet we
continue to accept it as some kind of inevitability and treat symptom after
symptom of the same root cause.

~~~
AndyMcConachie
BCP38/Anti-Spoofing is a really really hard problem to fix. It may not happen
in our lifetimes. There is the MANRS document/routing manifesto, which has
been gaining traction.
[https://www.routingmanifesto.org/](https://www.routingmanifesto.org/)

There are other initiatives as well. But the problem is very difficult to
solve.

~~~
madsushi
Do you mean the problem is technically hard or politically hard? From my
understanding, it's not too difficult for an ISP to implement, the problem is
convincing ISPs to implement it (when many don't care).

~~~
Pharaoh2
The problem is technically difficult to solve. The same way deploying IPv6
was.

~~~
hueving
No, quite the opposite. Nearly every router has a very simple option to not
allow packets from IPs not on the same CIDR as the interface. If ISPs turned
this on on each edge interface, the problem would be solved.

It's entirely political/economic. There is no incentive for an ISP to do so
because it provides no direct benefit. It's a classic issue of externalities.

------
StreamBright
It is kind of epic how DJB predicted this.

"Domains with DNSSEC, because of the size of some responses, are usually ripe
for this type of abuse, and many DNS providers struggle to combat DNSSEC-based
DDoS attacks. Just last month, Akamai published a report on attacks using DNS
lookups against their DNSSEC-signed .gov domains to DDoS other domains. They
say they have seen 400 of these attacks since November."

[https://cr.yp.to/djbdns/forgery.html](https://cr.yp.to/djbdns/forgery.html)

~~~
simoncion
> It is kind of epic how DJB predicted this.

That's not how I read the linked essay. The lesson I get from that is that
until relatively recently it was trivial to poison DNS responses requested by
most DNS servers, and that it's still quite possible if you have a "nearby"
malicious machine.

The CloudFlare essay appears to be talking about DDoS attacks via traffic
amplification through large DNS queries.

Yes they both involve DNS, but -AIUI- nether DNSSEC nor DNSCurve will fix the
problem mentioned in the CloudFlare essay.

Am I misunderstanding either essay?

~~~
StreamBright
To be more specific he talks about it here:

[http://cr.yp.to/talks/2012.06.04/slides.pdf](http://cr.yp.to/talks/2012.06.04/slides.pdf)

[http://imgur.com/m6YCyG8](http://imgur.com/m6YCyG8)

~~~
simoncion
> To be more specific...

ITYM: "To actually link to a talk where he talks about the topic I thought he
was talking about..." ;)

But yeah, thanks for the links. That's good stuff.

~~~
StreamBright
Yep, copy paste fail the first link.

------
ge0rg
_By implementing ECDSA natively in assembler, he was able to speed up signing
by 21x._

Let's hope it is resistant to side-channel attacks[0] ;)

[0]
[https://news.ycombinator.com/item?id=11223266](https://news.ycombinator.com/item?id=11223266)

~~~
lallysingh
I don't think side channels are an attack vector for them. These are running
on machines that they own, and where they control all the software on them.

I wonder if removing side-channel countermeasures was part of the
optimization?

~~~
mindslight
Some side channels travel over networks. Timing, for instance.

------
jedisct1
Resolvers obviously can't generate signatures for synthesized responses to ANY
queries.

So when the DO bit was set, the draft suggests returning unsigned records,
because the initiator can then explicitly ask for HINFO and get a signed
response.

However, resolvers just return SERVFAIL if the response doesn't validate. Will
Qmail retry with more specific records after a SERVFAIL response code?

------
axaxs
While ECDSA size is nice comparatively, the screenshot is a little misleading
if strictly comparing algo sizes. It's not showing cloudflare's ksk, and
cloudflare doesn't sign its own KSK (though there's no reason to really, but
the other domain appears to).

------
CyberDildonics
It seems like one solution might be to simply not send more data from the DNS
server than it has received from the IP it is sending to. You could still
spoof an IP and bounce traffic, but then you couldn't amplify it.

------
CyberDildonics
Are there any other protocols that work over UDP and amplify traffic?

~~~
benjojo12
Quake style game protocols ( Call Of Duty 4, Quake 2,3, etc ) were used quite
a lot for amplified DoS

