Presentation is loading. Please wait.

Presentation is loading. Please wait.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

Published byRichard Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether."— Presentation transcript:

1 A question of protocol Geoff Huston APNIC 36

2 Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether they arrive whole or in fragments). It is recommended that hosts only send datagrams larger than 576 octets if they have assurance that the destination is prepared to accept the larger datagrams.” For:  20 bytes of IP header,  <= 40 bytes of IP options and  8 bytes of UDP header, that leaves a maximum of 512 bytes in a packet that will be accepted by any IP host.

3 Then RFC1123:... it is also clear that some new DNS record types defined in the future will contain information exceeding the 512 byte limit that applies to UDP, and hence will require TCP. Thus, resolvers and name servers should implement TCP services as a backup to UDP today, with the knowledge that they will require the TCP service in the future.

4 The original DNS model If the reply is <= 512 bytes, send a response over UDP If the reply is > 512 bytes, send a response over UDP, but set the TRUNCATED bit – Which should trigger a re-query using TCP

5 EDNS0 RFC2671: 4.5. The sender's UDP payload size (which OPT stores in the RR CLASS field) is the number of octets of the largest UDP payload that can be reassembled and delivered in the sender's network stack. Note that path MTU, with or without fragmentation, may be smaller than this. The sender can say to the resolver: “Its ok to send me DNS responses using UDP up to size. I can handle it.” So we started using DNS over UDP for larger queries, and stopped performing failback to TCP so readily. Commonly, we see a 4096 packet reassembly buffer being announced in EDNS0 queries.

6 Which leads to…

7 DNS Attacks Send a small query in UDP to a DNS resolver Set EDNS0 to a large value Use the IP address of the intended victim as the source address Use a query that generates a large response in UDP ISC.ORG IN ANY, for example 10x – 100x gain Mix and repeat with a combination of a bot army and the published set of open recursive resolvers

8 Possible Mitigation…? 1) Get everyone to use BCP38 2) Use a smaller EDNS0 max size So lets look at 2): This would then force the query into TCP And the TCP handshake does not admit source address spoofing

9 Could this work? How many customers use DNS resolvers that support TCP? – Lets find out… Nurgle a DNS server with the EDNS0 max size set to 275 Set up an ad with a short ( 275) DNS name response And see who can resolve the short and fails on the long

10 Numbers Clients Experiments: 2,033,535 Truncated UDP Responses: 2,032,176 TCP Queries: 1,978,396 Drop Off: 53,780 That’s 2.6%

11 Numbers, Numbers Resolvers Total Seen: 80,505 UDP only: 13,483 17% of resolvers cannot ask a query in TCP following receipt of a truncated UDP response 6.4% of clients uses these resolvers 3.8% of them failover to use a resolver that can ask a TCP query 2.6% do not

12 If we really want to use DNS over TCP Then maybe its port 53 that’s the problem for these 17% of resolvers Why not go all the way? How about DNS over XML over HTTP over port 80 over TCP?

Download ppt "A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether."

Similar presentations

Discussion Monday (11-3-2014). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.

Discussion Monday ( ). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014.

DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:

A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.

1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.
Introduction to Transport Layer. Transport Layer: Motivation A B R1 R2 r Recall that NL is responsible for forwarding a packet from one HOST to another.

Introduction to Transport Layer. Transport Layer: Motivation A B R1 R2 r Recall that NL is responsible for forwarding a packet from one HOST to another.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.

11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 03.01.2010.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Internet Networking Spring 2003

Internet Networking Spring 2003
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.

1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh 90-91 spring.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
University of Calgary – CPSC 441.  UDP stands for User Datagram Protocol.  A protocol for the Transport Layer in the protocol Stack.  Alternative to.

University of Calgary – CPSC 441.  UDP stands for User Datagram Protocol.  A protocol for the Transport Layer in the protocol Stack.  Alternative to.

Similar presentations

Ads by Google