[ unthreaded to encourage discussion ]
> Nameservers could incorporate poison detection...
>
> Listen on 200 random fake ports (in addition to the true query ports);
> if a response ever arrives at a fake port, then it must be an attack,
> read the "identified" attack packet, log the attack event, mark the
> RRs mentioned in the packet as "poison being attempted" for 6 hours;
> for such domains always request and collect _two_ good responses
> (instead of one), with a 60 second timeout, before caching a lookup.
>
> The attacker must now guess nearly 64-bits in a short amount of time,
> to be successful. Once a good lookup is received, discard the normal
> TTL and hold the good answer cached and immutable, for 6 hours (_then_
> start decreasing the TTL normally).Is there any reason which I'm too far down the food chain to see why
that's not a fantastic idea? Or at least, something inspired by it?
There's a ton of stuff that you can do, I talked a bit about this kind of
solution several days ago, see <200807241335.m6ODZpfo097197@aurora.sol.net>.
The problem is mainly that this is reactive, and primarily applicable to
this attack because it's a brute-force. The next attack might be more
elegant. Designing in this sort of "protection" is good AND bad, because
on one hand, you do mostly solve the problem, and that's good, but you
also encourage people to think of the problem as "fixed" or "my server
is not vulnerable," when the only real way to protect against the *next*
attack is to make sure that the data is valid, so that's DNSSEC.
There are actually more specifically useful things that you can do to
mitigate particular aspects of this attack, except that talking about
them will also point to some risks that I don't believe have been made
public, and I'm going to do my part to keep it that way, at least for a
bit longer.
The short form, though, is that if you sit there and try to manufacture
artificial protection against each new attack as it develops, you will
end up with this Rube Goldberg contraption to protect your nameserver
from various attacks, and who knows what will break it. View these as
very short-term fixes, rather than a correction of the underlying issue.
... JG