There have been some ddos attacks on Dutch targets lately, widely covered in the media. While experts in the media try to claim that is very difficult to run and coordinate these attacks, the internet industry knows better than that. You can just pay a few dollars to a ‘stresstester’ and attack whoever you want with more than a few gigabits.
One of the methods used for these attacks is DNS Amplification. You send a request to a nameserver with the targets address as the sender and the answer goes to your target. This might create an amplification to up to 179 times. Why is that even possible? Thanks to the decision to run DNS (primarily and mainly) over UDP. UDP does not require you to actually setup a bilateral connection, like TCP does.
There are ‘solutions’ in place to limit the impact of this problem. BCP38 obviously is a good idea to implement but is, in my opinion, a workaround for the problem of running services on UDP.
What if we had an internet where nameservers communicated over TCP with each other, and clients are allowed to communicate over UDP.
So clients/endusers are allowed to use UDP to communicate with resolvers. The resolvers use TCP to communicate with authoritative nameservers. The ISP can filter/block/ratelimit traffic on his edge, because they can assume that legitimate DNS traffic uses TCP.
The arguments against this
There are probably many arguments against this proposition. A few I can think of:
- TCP is too slow.
- I need too many outbound (or inbound) connections for TCP.
- Not all servers support this.
Obviously, that would need fixing.
- I don’t want to block anything on the edge of my network.
- This breaks open resolver services.
You could always allow some services. But really, if your users are massively using open resolvers, shouldn’t you just improve your own resolvers?
There are a lot of servers that do not yet support DNS over TCP. Maybe because the software doesn’t understand it, or because the administrator doesn’t know DNS can use TCP as well.
Of course, there are many challenges on the way ahead. But for me there are two options for this proposal:
- This proposal is useless, makes no sense and is a bad idea.
- This makes sense. Let’s start this, and at least make people aware that there is a solution.
I’ve created a script to scan nameservers and see if they support TCP so we have some data about the current state of the internet. Dependent on the responses to this proposal, I’ll invest more time on this project.
Let me know what you think.