DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnsop@cafax.se
From: Bruce Campbell <bruce.campbell@ripe.net>
Date: Wed, 30 Oct 2002 19:21:57 +0100 (CET)
In-Reply-To: <200210301355.WAA26642@necom830.hpcl.titech.ac.jp>
Sender: owner-dnsop@cafax.se
Subject: Re: DoS and anycast

On Wed, 30 Oct 2002, Masataka Ohta wrote:

> Let's admit the fact that everyone in the world is
> allowed to grab a copy of a part of the root zone from 13 canonical place.

Yes.

> What is to prevent someone injecting a false route to a server
> pretending to be the canonical server, thus provisioning a bad copy of
> the part of the zone to those listening to the route?

Assuming that Operators aren't applying route prefix filters to their
(BGP) peering links, absolutely nothing.

The hypothetical attacker _will_ be able to introduce an apparent shorter
path to one, or more, of the roots, with the expected result that traffic
from people who use that new path as 'best' will send traffic to that
particular root.

Unfortunately, although various people have been trying to convince
Operators to apply such basic protections to their BGP peering/transit/etc
links for several years, it will take a few demonstrations of the
effectiveness of this type of attack before Operators will 'Do the Right
Thing' and apply filters on their BGP sessions to prevent this type of
attack.

> With anycast root servers, people are free to use public key cryptography
> to download the root zone content with https from some canonical places
> provided by ICANN, IANA, ALTERNIC, Verisign or whatever, though it merely
> moves the risk around to root CAs, such as Verisign.

This secures the backchannel.  This does not stop the individual anycast
roots from being the subject of DoS attacks.  Given that we do not see a
definitive way to stop _all_ DoS attacks[1], we should focus on making
sure that the data retrieved is authoritative.  Hence, we're back to the
previous thread on this list, being a proposal to sign the root zone.

> 							Masataka Ohta

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B             Operations/Security

[1] Misconfigurations in widely-deployed client resolvers can be more
    detrimental to the root servers over time than intentional attacks, eg
    querying for the 'A' record of an IP address.

#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.

Follow-Ups:
- Re: DoS and anycast
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- Re: DoS and anycast
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: Re: DoS and anycast
Next by Date: Re: DoS and anycast
Prev by thread: Re: DoS and anycast
Next by thread: Re: DoS and anycast
Index(es):
- Date
- Thread

Home | Date list | Subject list