> It won't be too long before some Registry coddles up a nameserver that
> detects nsec/other-based enumuration query trends, and starts dynamically
> inserting bogus records to lead the attacker through a twisted trail of
> normally-non-existent domains (ala web page scripts that provide lots of
> bogus email addresses to fill a scrapper's database with crap).


Indeed. Chain walking should involve detectably different access
patterns from normal DNS operation..

Filesystems have done this sort of access pattern detection for years;
the difference here is that filesystems usually want to deliver
*improved* QoS for sequential access :-)

Outline of an algorithm:

With only one replica of a zone, it's easy -- if you hit a "green"
name, the next name gets painted "yellow"; if you hit an "yellow"
name, the reply spends some time in a penalty box and the next name
gets painted "red"; if you hit a "red" name, the server gets creative;
colors decay back to green over time.

To generalize to multiple replicas, paint multiple subsequent names
rather than just one; with a large enough window, with queries spread
across N replicas, at least one replica must see an in-window value
and the sequential-access detector will fire, derailing the scan on
that server..

Sensitivity to attack rate and false-positive rate can be adjusted by
tweaking the window size, the color count and the decay timer..

Popular names can be locked green permanently -- the walk-detector
will fire quickly enough once you get into dustier parts of the zone.

- Bill

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: