Several weeks ago, we hosted a hugely successful DDoS webinar with our Director of DNS Engineering Andrew Sullivan. We answered a lot of your questions at the end, but we had a ton of leftovers that we wanted to tackle.
Our suggestion: watch the webinar and then, check out this post. If you don’t have time for that, you’ll definitely get some great insight from this post alone, but we think you’ll enjoy the hour that we put together. It’s a holiday week…you got the time!
Let’s get to the questions answered by Mr. Sullivan himself.
Will the move to IPv6 lessen the opportunity for DDoS attacks?
No. Indeed, it likely makes the problem worse in some ways, because whereas today each member of a botnet often has just one IP address (meaning you can identify a member eventually), IPv6 often gives an end machine a range of IPs to work with. This allows you to increase your privacy (because you’re not always connecting using the same IP), but it also allows bad guys to hide better.
I’m a DynECT Managed DNS client. Am I protected?
As I suggested in the webinar, the answer to this is, “Yes and no.” Dyn has network experts and lots of monitoring, and we have a lot of bandwidth. We do face these down sometimes, and I think we’re pretty good at it.
By the same token, as I noted, on the contemporary Internet, the bad guys will still have more compromised servers long after you’ve run out of money for bandwidth. Because we’re a DNS provider, we are a target ourselves. Also, we have several high profile customers that could be targets as well. By coming onto a managed platform like ours (or any of our competitors), you automatically gain at least some risk associated with those other people. Like every engineering decision, it’s a trade-off.
Can open resolvers be used for any good?
Yes, but they’re probably not worth it any more. The old reason for running open resolvers was, at bottom, to be friendly. An open resolver could be used by anyone, and everyone using it benefitted the cache there. But these days, the risk from open resolvers outweighs the benefit, and if you are operating one you should probably tighten the access rules.
Does Windows servers do RRL?
You can do it with BIND on Windows, but as far as I know, Microsoft has not released a version of their software to support this. I may be wrong. If you are a customer of Microsoft, you should probably ask them about their plans to implement or support RRL.
I’m running DNS servers for a local African community with about 5000 users. It’s less than one month old. We host on a Europe-based server on a dedicated host. We dread our first DDoS. What things should we keep in mind? Our DNS server build on Bind and PowerDNS.
If you are using both BIND and PowerDNS, you must be using more than one server, but a single dedicated host is almost certainly inadequate to stand up against even a small attack. It is generally wise to run multiple DNS servers on different machines in different data centres using different transit providers.
Has modifying the UDP been considered (as in adding a licensing tag that would identifiy the machine and user)?
UDP is an ancient protocol, and it is deployed on approximately every machine that connects to the Internet. So unfortunately, any proposal that involves modifying UDP (or replacing DNS, another similar proposal) boils down to a proposal to upgrade every machine on the Internet. The last time we had a “flag day” like this on the Internet, it was possible to get a mimeographed booklet that contained the names of every single person that was connected to the Internet. This sort of thing is, perhaps unfortunately, now no longer feasible.
I own 2 Minecraft servers. We get DDoS’d very often. How could we prevent this?
First, you need to understand the kind of traffic you are receiving. What does it look like? How is the traffic coming in? There are special Minecraft-targetted tools available on the Internet designed to cause these attacks. Unfortunately, you can’t really prevent — only mitigate.
I believe Radware has a product like DefensePipe where they route via BGP to protect the pipe? They send the whole traffic to their data center. Do you think this may work fast?
It might. In effect, this is just like outsourcing your service to someone else: you’re dependent on their systems being able to handle all the data. So the question is whether you think they actually can sink all the traffic — or, at least, enough of the traffic that they will mitigate effectively for you.
I had found an issue where we were using a Linux server to do a load test on our website over and over again. When we did this, it crashed our website. What could we implement to prevent this?
Likely, you need more powerful web servers. Web servers often have to do a lot of work to serve contemporary sites (backed by technologies like Drupal or WordPress). If you don’t have the capacity to do all that work, your server will crash.
In case of using multiple providers, what happens if the attack is on SOA?
I’m not sure I understand this question. If it means, “What if the attacker is able to update the zone and change its data?” then it isn’t really a DDoS, but just a compromise of the DNS data. (It is, of course, a denial of service — it prevents the service from working as designed — but it isn’t a DDoS that exhausts resources. It’s more like when an attacker changes everyone’s password.) If it means, “What if the attacker uses the SOA record as part of the attack traffic,” then it’s no different from using any other resource record (indeed, it might be less effective, since compared to very large TXT records the SOA usually doesn’t offer much amplification).
It seems that the issue of DDoS is inherent to TCP/IP. What if we change the protocol to something not TCP/IP?
It’s not TCP/IP, but UDP/IP that is the problem. It is harder (but by no means impossible) to spoof an address for a protocol relying on TCP. But see my answer about UDP above: that’s really an “upgrade the Internet” suggestion.
What is the recommended mitigation technique for an attack that has randomized source IP addresses and queries your DNS server for the zone it is authoritative for (ex. an attack on your DNS server/service directly)?
If it’s truly a randomized source address, that randomized pool is very large, and they’re not re-using the IP addresses, then you have basically two options: (1) stop responding for the target name (which of course takes the name off the Internet for a while) or (2) buy more bandwidth and server capacity. This pattern of attack today is relatively rare, but it is not completely unusual. Sometimes the attack packets are badly crafted, and you can use the “signature” of the packet to dump it before it passes your router. That’s the ideal case, because you can filter the traffic away before it gets to you. This is also a place where appliances can sometimes help.