11Chapter 8. Infrastructure Security
22==============================================
3- .. Brad notes
4- I really enjoyed the CCR paper with anonymous authors on collateral
5- damage of China’s censorship (IIRC, causing DNS lookup failures in
6- other countries).
7- That paper is not exactly current now, but it is a nice example of
8- how a state actor can deploy things that break infrastructure
9- outside its own state boundaries.
10- My gut feeling is that material on why stock DNS is vulnerable to
11- attack, what DNSSEC is, how it’s supposed to make things better,
12- and why it’s hard to deploy would definitely be useful.
13- And probably the same for BGP and the RPKI. Goldberg has a paper on
14- why it’s so hard to secure routing; I think it was in Queue.
15- I wonder if a synthesis of any sort is possible on this
16- topic. Certainly certificate chains and delegated signature authority
17- are at the core of both DNSSEC and the RPKI.
18- Perhaps there is a unifying theme of securing infrastructure with distributed domains of control.
19- In a way CAs fit this model, too.
203
214
225In the preceding chapters we have focused on the security of
@@ -713,47 +696,48 @@ effects in and beyond China.
713696 <https://dl.acm.org/doi/10.1145/2317307.2317311> `__. Computer
714697 Communications Review, July 2012.
715698
716- .. sidebar :: DNS Amplification Attacks
717-
718- *There is a class of denial-of-service (DoS) attack that leverages
719- the properties of DNS to attack other systems, rather than being an
720- attack on DNS itself. Recall that DNS is UDP-based. A name server
721- sends a response back to the IP address from which a query was
722- sent, and since there is no TCP connection to establish, it is
723- relatively easy to use a fake source address in a query. In this
724- case, the name server can be tricked into sending traffic to some
725- unsuspecting host. And it is not hard to see how this can be turned
726- into a * distributed *denial-of-service attack: many hosts (e.g., a
727- set of hosts in a botnet) can make coordinated requests to a set
728- of name servers, with all the requests using the same spoofed
729- source address. Not only does this lead to a lot of traffic heading
730- to the target address, but the name servers can be make to perform
731- a traffic * amplification *function, because the response to a DNS
732- query can be much larger than the query that triggered it. In
733- particular, the DNS query type "ANY" causes all records for a
734- domain to be returned, which can be a lot of data returned for a
735- simple query. The handling of such queries has recently been
736- clarified in an RFC to reduce the impact of ANY queries, but that
737- is not a complete solution to DNS amplification attacks. *
738-
739- *Three main steps can be taken to reduce these attacks. The first
740- is to avoid the deployment of "open" resolvers, i.e., resolvers
741- which will accept queries from anywhere. For example, the resolver
742- for an enterprise should be configured such that only clients
743- within that enterprise can send queries to it; it should not accept
744- queries from the broader Internet. *
745-
746- *The second step is source address validation. Source address
747- filtering is a tool that can be applied at the boundaries of
748- autonomous systems to reject traffic with spoofed source
749- addresses. It may not be 100% effective but it will reduce the
750- effectiveness of large scale attacks. *
751-
752- *Finally, there are ways to deal with DoS attacks such as the use
753- of content distribution networks and black-holing of DoS
754- traffic. We discuss these further in Chapter 9. *
755-
756- 8.2.1 DNS Security Extensions (DNSSEC)
699+ 8.2.1 DNS Amplification Attacks
700+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
701+
702+ There is a class of denial-of-service (DoS) attack that leverages the
703+ properties of DNS to attack other systems, rather than being an attack
704+ on DNS itself. Recall that DNS is UDP-based. A name server sends a
705+ response back to the IP address from which a query was sent, and since
706+ there is no TCP connection to establish, it is relatively easy to use
707+ a fake source address in a query. In this case, the name server can be
708+ tricked into sending traffic to some unsuspecting host. And it is not
709+ hard to see how this can be turned into a *distributed *
710+ denial-of-service attack: many hosts (e.g., a set of hosts in a
711+ botnet) can make coordinated requests to a set of name servers, with
712+ all the requests using the same spoofed source address. Not only does
713+ this lead to a lot of traffic heading to the target address, but the
714+ name servers can be make to perform a traffic *amplification *
715+ function, because the response to a DNS query can be much larger than
716+ the query that triggered it. In particular, the DNS query type "ANY"
717+ causes all records for a domain to be returned, which can be a lot of
718+ data returned for a simple query. The handling of such queries has
719+ recently been clarified in an RFC in a manner that should reduce the
720+ impact of ANY queries, but that is not a complete solution to DNS
721+ amplification attacks.
722+
723+ Three main steps can be taken to reduce these attacks. The first
724+ is to avoid the deployment of "open" resolvers, i.e., resolvers
725+ which will accept queries from anywhere. For example, the resolver
726+ for an enterprise should be configured such that only clients
727+ within that enterprise can send queries to it; it should not accept
728+ queries from the broader Internet.
729+
730+ The second step is source address validation. Source address
731+ filtering is a tool that can be applied at the boundaries of
732+ autonomous systems to reject traffic with spoofed source
733+ addresses. It may not be 100% effective but it will reduce the
734+ effectiveness of large scale attacks.
735+
736+ Finally, there are ways to deal with DoS attacks such as the use
737+ of content distribution networks and black-holing of DoS
738+ traffic. We discuss these further in Chapter 9.
739+
740+ 8.2.2 DNS Security Extensions (DNSSEC)
757741~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
758742
759743Since DNS queries in the original design are unauthenticated,
@@ -848,7 +832,26 @@ This is not to say that protecting DNS is unimportant,
848832however. Interference with DNS is still a vector for censorship and
849833surveillance of Internet usage. For this reason there are other
850834methods of protecting DNS that have started to gain traction more
851- recently.
835+ recently, as discussed in the next section.
836+
837+ A final note on DNSSEC is that, by making responses larger, it has the
838+ potential to worsen amplification attacks. The response to a request
839+ to a DNS server that implements DNSSEC contains both a signature and
840+ the key used to verify the signature. That's a significant increase in
841+ the number of bytes returned for a single query. The mitigation
842+ techniques outlined above—source address filtering and DoS
843+ prevention—can still be applied. Additionally, there is an advantage
844+ to using crytographic algorithms that use relatively short keys. For
845+ this reason the EDCSA algorithm may be preferred to RSA, since EDCSA
846+ keys are considerably shorter than RSA keys for comparable levels of
847+ security.
848+
849+ This small detail illustrates how much of security consists of making
850+ tradeoffs. While adding DNSSEC is a positive in terms of securing the
851+ DNS itself, it has contributed to the risk of DoS attacks leveraging
852+ DNS amplification. Adding security almost always imposes some costs—it
853+ is important to be aware of them and to ensure that the payoff for an
854+ additional mechanism justifies its costs.
852855
853856
854857.. _reading_dnstime :
@@ -859,7 +862,9 @@ recently.
859862 APNIC Blog, May 2024.
860863
861864
862- 8.2.2 Encrypted DNS (DoH, DoT, ODNS)
865+
866+
867+ 8.2.3 Encrypted DNS (DoH, DoT, ODNS)
863868~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
864869
865870
0 commit comments