14 DAY TRIAL // A proposal submitted to the Internet Engineering Task Force (IETF) details Domain Name System (DNS) Cookies, an extra security layer to the DNS protocol.
The security measures included in the RFC 7873 proposal describe a system named DNS Cookies, which are 64-bit keys generated on the client-side to authenticate DNS requests on the server-side. DNS Cookies should not be confused with browser cookies.
Servers will be able to verify a client's origin based on a 64-bit key (code), which will be composed based on each user's IP address, the DNS server IP address, and a client secret code.
DNS Cookies make DDoS attacks highly impractical
According to Donald Eastlake of Huawei and Mark Andrews of ISC, deploying DNS Cookies will make it harder for attackers to spoof DNS requests because they'll have to supply a correctly-calculated 64-bit key.
Spoofing DNS origin requests is the technique on which cyber-criminals rely when launching DoS and DDoS attacks using the DNS protocol.
By increasing the resources needed to launch such attacks, security researchers hope to make these attacks impractical for attackers.
DNS protocol is very popular with DDoS stressers
DNS has been a popular protocol for launching DDoS attacks, and more precisely, reflection DDoS attacks. In the first three months of the year, according to Akamai, DNS has been the second most popular protocol used for reflection DDoS attacks after NTP.
By using technical flaws in the DNS protocol itself, an attacker can blast a server with malformed DNS requests that contain the victim's IP addresses spoofed instead of the attacker's address.
The DNS server does not only send the DNS response to the victim's spoofed IP address but also sends it many times over because of the above-mentioned technical flaws, amplifying the attack, hence its name of "reflection DDoS."
DNS Cookies will allow a server to detect the authenticity of incoming DNS requests and drop all packets that don't have a proper 64-bit key.
DNS Cookies are also efficient against DoS and cache poisoning attacks
RFC 7873 will also help protect servers against simple DoS attacks as well. These are cases where an attacker sends a massive number of DNS requests to the server in order to make it use all of its resources.
Attackers usually spoof their malicious DNS requests with multiple IP addresses in order to avoid getting the real source of their attack blacklisted (their own IP). DNS Cookies, once again, makes it easier to reject all spoofed traffic.
Additionally, DNS cache poisoning can also be thwarted by DNS cookies, Eastlake and Andrews claim.
DNS Cookies are easier to implement compared to existing DNS security systems
The two also say that existing DNS security systems such as DNSSEC and DNS Message/Transaction Security "do not provide the services provided by the DNS Cookie mechanism: lightweight message authentication of DNS requests and responses with no requirement for pre-configuration or per-client server-side state."
Both DNSSEC and DNS Message/Transaction Security (TSIG) are notoriously difficult to set up, especially TSIG, which needs pre-agreement and key distribution between client and server, keeping track of server-side key state, and required time synchronization between client and server.
RFC (Request For Comment) 7873 proposal is currently under public debate and IETF awaits everyone's input before moving forward into making this an official spec.