Speaker
Description
Recent years have witnessed the discovery of a flurry of DoS vectors that can amplify a typically short name resolution process, e.g., with a single client request tricking recursive resolvers into generate hundreds or more queries. They enable an attacker to overwhelm a victim DNS server with substantially fewer requests than direct DDoS or Pseudo-random Subdomain attacks. We call this emerging family of vulnerabilities and the resulting attacks "self-amplification", to distinguish them from conventional reflective amplification attacks. The possibilities of such vulnerabilities have been long predicted by the designers of DNS, but their surprising complexity and full potential has just become prominent.
In this talk, I'll present a taxonomy of these vulnerabilities, explain how individual vectors can be systematically composed to produce multiplicative amplification effects, and demonstrate practical attacks against different types of targets. On the defensive side, I'll identify these vulnerabilities' origins in DNS protocols, propose countermeasures across different levels, and discuss amendments to the relevant RFCs that help developers and operators to understand and mitigate self-amplification vulnerabilities in fundamental ways.
| Talk duration | 10 Minutes (+discussion panel time) |
|---|
