[AusNOG] GLIBC vulnerability
Roland Dobbins
rdobbins at arbor.net
Sun Feb 21 15:27:33 EST 2016
On 17 Feb 2016, at 20:03, Andrew Yager wrote:
> Apparently ensuring DNS packets are properly sized is an effective
> mitigating strategy to this vulnerability
[Sorry for the late reply; I missed hitting the send key when I wrote
this, and just now realized it, doh!]
Yes, reflection/amplification DDoS attacks utilize spoofing to generate
large, non-solicited responses to pummel targets. In some cases
(notably ntp), one can do some size-based filtering or QoSing to keep
these non-solicited responses from pummeling customers.
However, this doesn't apply to the DNS.
EDNS0 DNS responses can be quite large - that's the purpose of EDNS0, to
allow UDP DNS responses larger than 512 bytes. Every DNSSEC response is
at least 1480 bytes in length.
So, filtering DNS responses based upon size constraints isn't an option.
Doing that will break the DNS. Also note that large DNS responses are
typically fragmented, so non-initial fragments come into play, as well -
and blocking non-inital fragments doesn't just break DNS, it breaks the
Internet.
Here's a link to a .pdf of the cited reflection/amplification preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
I hope this helps!
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the AusNOG
mailing list