A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

Slides:



Advertisements
Similar presentations
Discussion Monday ( ). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.
Advertisements

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Network Layer Packet Forwarding IS250 Spring 2010
1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.
Introduction to Transport Layer. Transport Layer: Motivation A B R1 R2 r Recall that NL is responsible for forwarding a packet from one HOST to another.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Internet Networking Spring 2003
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
University of Calgary – CPSC 441.  UDP stands for User Datagram Protocol.  A protocol for the Transport Layer in the protocol Stack.  Alternative to.
Geoff Huston APNIC Labs
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
TCP/IP Networking Review Covered Subjects:  Packet Switched Network Structure  Issues of PSNs  Ports & IP Numbers  Delivery Services  Domain Name.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Transport Layer: TCP and UDP. Overview of TCP/IP protocols Comparing TCP and UDP TCP connection: establishment, data transfer, and termination Allocation.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
More on TCP Acknowledgements Sequence Number Field Initial Sequence Number Acknowledgement Number Field.
Transport Layer Moving Segments. Transport Layer Protocols Provide a logical communication link between processes running on different hosts as if directly.
Dr. John P. Abraham Professor UTPA
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
Institute of Technology Sligo - Dept of Computing Chapter 12 The Transport Layer.
ICMPv6 Error Message Types Informational Message Types.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September
What if Everyone Did It? Geoff Huston APNIC Labs.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP The PING Tool Traceroute program IGMP.
UDP : User Datagram Protocol 백 일 우
COMPUTER NETWORKS CS610 Lecture-30 Hammad Khalid Khan.
Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.
IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,
Fragmentation Geoff Huston APNIC Labs. Before Packets… Digitised telephone networks switched time – Each active network transaction was a 56K constant.
Internet Control Message Protocol (ICMP)
Large (UDP) Packets in IPv6
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Error and Control Messages in the Internet Protocol
7 Network Layer Part IV Computer Networks Tutun Juhana
Joao Damas, Geoff Labs March 2018
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
IP - The Internet Protocol
Internet Control Message Protocol (ICMP)
Dr. John P. Abraham Professor UTPA
Internet Control Message Protocol (ICMP)
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
Dr. John P. Abraham Professor UTPA
TRANSMISSION CONTROL PROTOCOL
Chapter 20. Network Layer: IP
IP - The Internet Protocol
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
ITIS 6167/8167: Network and Information Security
IP - The Internet Protocol
32 bit destination IP address
Presentation transcript:

A question of protocol Geoff Huston APNIC 36

Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether they arrive whole or in fragments). It is recommended that hosts only send datagrams larger than 576 octets if they have assurance that the destination is prepared to accept the larger datagrams.” For:  20 bytes of IP header,  <= 40 bytes of IP options and  8 bytes of UDP header, that leaves a maximum of 512 bytes in a packet that will be accepted by any IP host.

Then RFC1123:... it is also clear that some new DNS record types defined in the future will contain information exceeding the 512 byte limit that applies to UDP, and hence will require TCP. Thus, resolvers and name servers should implement TCP services as a backup to UDP today, with the knowledge that they will require the TCP service in the future.

The original DNS model If the reply is <= 512 bytes, send a response over UDP If the reply is > 512 bytes, send a response over UDP, but set the TRUNCATED bit – Which should trigger a re-query using TCP

EDNS0 RFC2671: 4.5. The sender's UDP payload size (which OPT stores in the RR CLASS field) is the number of octets of the largest UDP payload that can be reassembled and delivered in the sender's network stack. Note that path MTU, with or without fragmentation, may be smaller than this. The sender can say to the resolver: “Its ok to send me DNS responses using UDP up to size. I can handle it.” So we started using DNS over UDP for larger queries, and stopped performing failback to TCP so readily. Commonly, we see a 4096 packet reassembly buffer being announced in EDNS0 queries.

Which leads to…

DNS Attacks Send a small query in UDP to a DNS resolver Set EDNS0 to a large value Use the IP address of the intended victim as the source address Use a query that generates a large response in UDP ISC.ORG IN ANY, for example 10x – 100x gain Mix and repeat with a combination of a bot army and the published set of open recursive resolvers

Possible Mitigation…? 1) Get everyone to use BCP38 2) Use a smaller EDNS0 max size So lets look at 2): This would then force the query into TCP And the TCP handshake does not admit source address spoofing

Could this work? How many customers use DNS resolvers that support TCP? – Lets find out… Nurgle a DNS server with the EDNS0 max size set to 275 Set up an ad with a short ( 275) DNS name response And see who can resolve the short and fails on the long

Numbers Clients Experiments: 2,033,535 Truncated UDP Responses: 2,032,176 TCP Queries: 1,978,396 Drop Off: 53,780 That’s 2.6%

Numbers, Numbers Resolvers Total Seen: 80,505 UDP only: 13,483 17% of resolvers cannot ask a query in TCP following receipt of a truncated UDP response 6.4% of clients uses these resolvers 3.8% of them failover to use a resolver that can ask a TCP query 2.6% do not

If we really want to use DNS over TCP Then maybe its port 53 that’s the problem for these 17% of resolvers Why not go all the way? How about DNS over XML over HTTP over port 80 over TCP?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.