Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

It has been discussed MANY times already, but apparently everyone forgot 
again...  Blacklists DO NOT WORK for DNS services.  DNS primarily uses 
UDP, which does not require a two-way connection to complete the 
transaction.  UDP packets can be sent without any expectation of a 
reply.  Because of this, DNS attacks almost always come from spoofed IP 
addresses.  How do you block the packets, or even have time to add an IP 
to a blacklist, when the spoofed IP address is changing every second?

Two years ago we could block attackers because their packets always 
connected on a known source port.  Last year we could filter some of the 
packets because the attackers only changed IP addresses every 5-10 
minutes.  Today the queries just come in on a flood of random IPs.  
Sometimes we can detect the target because of the large number of 
queries for their domain, but I feel like more of these attacks are 
actually directed at OpenNic because there is no clear pattern to point 
to a target, there is only a flood of apparently random lookups.

A 'smart' attacker will periodically test the DNS servers they are using 
for their attack.  If you stop answering public queries for an hour, a 
lot of times the attacker will go away (only to return later when you 
bring services back up again).  An ISP will only answer DNS queries from 
their own customers because they have complete control and can shut down 
a rogue customer who abuses their services.  We do not have such 
luxuries.  The only option we have is using whitelisting.  By using 
whitelisting, we regain some control, plus we prevent the random access 
from attackers which signals that we are prime targets for their abuse.

Some tier-2 operators will continue to run open services.  Some are 
tired of the abuse.  Some have no choice because without controls on the 
DNS service, hosting facilities may shut you down or the attacks may be 
affecting your business or other critical aspects of the servers you 
run.  Whatever the reason, there MUST be an option to control server 
access for the operators who need it.