> On 12 Aug 2018, at 9:35 am, Star Brilliant <m13253@xxxxxxxxxxx> wrote: > > Hello Fermando and the maillist, > > I just found that I forgot to address one question in my previous mail. Here is the addition. > > On Sat, Aug 11, 2018 at 6:00 PM Fernando Gont <fgont@xxxxxxxxxxxxxxx> wrote: >> * Page 15 (Security Considerations): >> >> DoH essentialy switches from a connection-less transport (UDP) to a >> connection-oriented one (TCP). This means that now the server should take care >> of all state-exhaustion attacks against TCP (e.g., take a look at: >> https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf). Defending >> against such attacks maybe non-trivial. This should at least be mentioned in >> the security considerations. > > > On contrast, by switching from UDP to TCP, the server is now able to defend attacks more *easily*. > > 1) TCP requires 3-way handshake before establishing the connection. This prevented simple DoS attack with spoofed source address since the attacker will not receive the 2nd packet. Which also exists for DNS over UDP using DNS COOKIE. > 2) In the past, the server started to allocate resources upon receiving the first SYN packet, making it vulnerable to SYN Flood attack. Now we use SYN Cookies [RFC 4987], so the server does not allocate resources until the 3-way handshake has finished, to mitigate the attack as long as the server's Internet pipe is not full. DNS COOKIE doesn’t have any server state. > 3) UDP is vulnerable to UDP Amplification attack, that is to send a very small request, requiring kilobytes of response. Combined with spoofed source address (1), the attacker can make request and response packets bouncing between 2 servers, producing a 2^n amount of junk traffic, preventing the server from operating. Typical amplification victims include DNS and NTP, and they are all UDP . Not with DNS COOKIE. > 4) Nowadays, the majority of DDoS attack is to send TB/s or PB/s of arbitrary garbage to fill the server's 100Mbps Internet pipe to make your server offline. Generally you need a powerful hardware firewall to wash out the garbage, and as many as BGP peers with other ISPs so legitimate users can reach your server directly in a clean pipe. For this type of attack, UDP and TCP have no difference. > > 5) We already have many articles talking about TCP/IP security [RFC 4953, 4987, 5961, 6528, etc]. I disagree that we need to talk about everything from TCP to IP to Ethernet in this DoH document. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
