To:
dnsop@cafax.se
From:
Bruce Campbell <bruce.campbell@ripe.net>
Date:
Wed, 30 Oct 2002 19:21:57 +0100 (CET)
In-Reply-To:
<200210301355.WAA26642@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
On Wed, 30 Oct 2002, Masataka Ohta wrote: > Let's admit the fact that everyone in the world is > allowed to grab a copy of a part of the root zone from 13 canonical place. Yes. > What is to prevent someone injecting a false route to a server > pretending to be the canonical server, thus provisioning a bad copy of > the part of the zone to those listening to the route? Assuming that Operators aren't applying route prefix filters to their (BGP) peering links, absolutely nothing. The hypothetical attacker _will_ be able to introduce an apparent shorter path to one, or more, of the roots, with the expected result that traffic from people who use that new path as 'best' will send traffic to that particular root. Unfortunately, although various people have been trying to convince Operators to apply such basic protections to their BGP peering/transit/etc links for several years, it will take a few demonstrations of the effectiveness of this type of attack before Operators will 'Do the Right Thing' and apply filters on their BGP sessions to prevent this type of attack. > With anycast root servers, people are free to use public key cryptography > to download the root zone content with https from some canonical places > provided by ICANN, IANA, ALTERNIC, Verisign or whatever, though it merely > moves the risk around to root CAs, such as Verisign. This secures the backchannel. This does not stop the individual anycast roots from being the subject of DoS attacks. Given that we do not see a definitive way to stop _all_ DoS attacks[1], we should focus on making sure that the data retrieved is authoritative. Hence, we're back to the previous thread on this list, being a proposal to sign the root zone. > Masataka Ohta -- Bruce Campbell RIPE Systems/Network Engineer NCC www.ripe.net - PGP562C8B1B Operations/Security [1] Misconfigurations in widely-deployed client resolvers can be more detrimental to the root servers over time than intentional attacks, eg querying for the 'A' record of an IP address. #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.