Giter Club home page Giter Club logo

rrl's Introduction

rrl

Name

rrl - provides BIND-like Response Rate Limiting to help mitigate DNS amplification attacks. rrl also allows request rate limiting.

Description

The rrl plugin tracks response rates per category of response. The category of a given response consists of the following:

  • Prefix of the client IP (per the ipv4/6-prefix-length)
  • Requested name (qname) excluding response type of error (see response type below)
  • Requested type (qtype) excluding response type of error (see response type below)
  • Response type (each corresponding to the configurable per-second allowances)
    • response - for positive responses that contain answers
    • nodata - for NODATA responses
    • nxdomain - for NXDOMAIN responses
    • referrals - for referrals or delegations
    • error - for all DNS errors (except NXDOMAIN)

To better protect against attacks using invalid requests, requested name and type are not categorized separately for error type requests. In other words, all error responses are limited collectively per client, regardless of qname or qtype.

Each category has an account balance which is credited at a rate of the configured per-second allowance for that response type, and debited each time a response in that category would be sent to a client. When an account balance is negative, responses in the category are dropped until the balance goes non-negative. Account balances cannot be more positive than per-second allowance, and cannot be more negative than window * per-second allowance.

The response rate limiting implementation intends to replicate the behavior of BIND 9's response rate limiting feature.

When limiting requests, the category of each request is determined by the prefix of the client IP (per the ipv4/6-prefix-length).

Syntax

rrl [ZONES...] {
    window SECONDS
    ipv4-prefix-length LENGTH
    ipv6-prefix-length LENGTH
    responses-per-second ALLOWANCE
    nodata-per-second ALLOWANCE
    nxdomains-per-second ALLOWANCE
    referrals-per-second ALLOWANCE
    errors-per-second ALLOWANCE
    slip-ratio N
    requests-per-second ALLOWANCE
    max-table-size SIZE
    report-only
}

  • window SECONDS - the rolling window in SECONDS during which response rates are tracked. Default 15.

  • ipv4-prefix-length LENGTH - the prefix LENGTH in bits to use for identifying a ipv4 client. Default 24.

  • ipv6-prefix-length LENGTH - the prefix LENGTH in bits to use for identifying a ipv6 client. Default 56.

  • responses-per-second ALLOWANCE - the number of positive responses allowed per second. An ALLOWANCE of 0 disables rate limiting of positive responses. Default 0.

  • nodata-per-second ALLOWANCE - the number of NODATA responses allowed per second. An ALLOWANCE of 0 disables rate limiting of NODATA responses. Defaults to responses-per-second.

  • nxdomains-per-second ALLOWANCE - the number of NXDOMAIN responses allowed per second. An ALLOWANCE of 0 disables rate limiting of NXDOMAIN responses. Defaults to responses-per-second.

  • referrals-per-second ALLOWANCE - the number of referral responses allowed per second. An ALLOWANCE of 0 disables rate limiting of referral responses. Defaults to responses-per-second.

  • errors-per-second ALLOWANCE - the number of error responses allowed per second (excluding NXDOMAIN). An ALLOWANCE of 0 disables rate limiting of error responses. Defaults to responses-per-second.

  • slip-ratio N - Let every Nth dropped response slip through truncated. Responses that slip through are marked truncated and have all sections emptied before being relayed. A client receiving a truncated response will retry using TCP, which is not subject to response rate limiting. This provides a way for clients making legitimate requests to get an answer while their IP prefix is being blocked by response rate limiting. For N = 1 slip every dropped response through; N = 4 slip every 4th dropped response through; etc. The default is N = 0, don't slip any responses through.

  • requests-per-second ALLOWANCE - the number of requests allowed per second. An ALLOWANCE of 0 disables rate limiting of requests. Default 0.

  • max-table-size SIZE - the maximum number of responses to be tracked at one time. When exceeded, rrl stops rate limiting new responses. Defaults to 100000.

  • report-only - Do not drop requests/responses when rates are exceeded, only log metrics. Defaults to false.

Mitigate Wildcard Flooding with the metadata Plugin

An attacker can evade rrl rate limits when launching a reflection attack if they know of the existence of a wildcard record. In a nutshell, the attacker can spread the reflection attack across an unlimited number of unique query names synthesized by a wildcard keeping the rate of responses for each individual name under limits. To protect against this, enable the metadata plugin. When the metadata plugin is enabled, rrl will account for all responses synthesized by known wildcards under the parent domain of the wildcard. e.g. Both a.example.org. and a.example.org. would be accounted for as example.org., if they are synthesized from the wildcard record *.example.org. This approach follows BIND9's solution to the same problem.

Important:

  • The metadata plugin MUST be enabled for this to work.
  • CoreDNS MUST be >= TBD. Plugins in CoreDNS do not produce the required metadata until this version.
  • This cannot protect against attacks leveraging wildcard records hosted by upstream nameservers.
  • External plugins that can synthesize wildcard responses must be updated produce the metadata zone/wildcard in order to protect against flooding with wildcards it serves.
  • Some plugins such as rewrite and template can emulate wildcard-like behavior in such a way that they can be leveraged in the same way by an attacker to launch an undetected reflection attack. This is possible if the plugin produces a positive answer for an unbounded set of questions. rewrite and template do not produce the metadata required to mitigate wildcard flooding.

Metrics

If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:

  • coredns_rrl_responses_exceeded_total{client_ip} - Counter of responses exceeding QPS limit.
  • coredns_rrl_requests_exceeded_total{client_ip} - Counter of requests exceeding QPS limit.

External Plugin

RRL is an external plugin, which means it is not included in CoreDNS releases. To use rrl, you'll need to build a CoreDNS image with rrl included (near the top of the plugin list). In a nutshell you'll need to:

  • Clone https://github.com/coredns/coredns
  • Add this plugin to plugin.cfg per instructions therein.
  • make -f Makefile.release DOCKER=your-docker-repo release
  • make -f Makefile.release DOCKER=your-docker-repo docker
  • make -f Makefile.release DOCKER=your-docker-repo docker-push

Examples

Example 1


. {
  rrl . {
    responses-per-second 10
  }
}

Known Issues

rrl is vulnerable to wildcard flooding. See the section above for mitigating this vulnerability: Mitigate Wildcard Flooding with the metadata Plugin

Additional References

A Quick Introduction to Response Rate Limiting

This Plugin's Design Spec

rrl's People

Contributors

chrisohaver avatar cricketliu avatar rdrozhdzh avatar remcodm avatar tantalor93 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

chrisohaver cricketliu rdrozhdzh rajansandeep rancher erbesharat nevermore-muyi kaponocloud remcodm isabella232 muffin87 aleksandriakhnev zoues linuxsuren replit elitshare novoleg tantalor93 achernov3

rrl's Issues

Guard against wildcard flooding

Employing a Response Rate Limiting function in CoreDNS (e.g. this plugin) was recommended in the security review by Trail of Bits' security review of CoreDNS to help prevent DNS reflection attacks.

There is a known issue that would be good to fix: the rrl plugin is susceptible to wildcard flooding. That is, an attacker can abuse a known wildcard to generate an (almost) unlimited number of unique queries, and thus launch a DNS reflection attack while keeping quotas under rrl limits.

BIND's RRL implementation solves this by lumping all responses synthesized by a given wildcard into one bucket for that wildcard. For CoreDNS to do this, it needs to be aware of the wildcards served by a zone.

The solution (in progress) will involve changes to this repo, but also to require changes to some plugins in CoreDNS (plugins that support wildcard records). This would mostly be file, auto, and other plugins that use the Zone package to serve zones.

I can think of two different general approaches to implement this in CoreDNS:

  1. Authoritative plugins synthesizing a response from a wildcard record would earmark the response in some way, so that the rrl plugin can identify what subdomain segments are wild.
    • earmarking responses could be awkward code-wise - could require some core changes to structures, or involve stashing info in context (e.g. via metadata). Even though this approach adds processing to each wildcard response, it would be more efficient in the end since the plugins already know at the time of creating a response if it exists due to a wildcard record.
  2. Authoritative plugins provide a list of all wildcards they serve. rrl would then infer that a response for a query name that is a subdomain of a wildcard should be accounted for in that wildcard's parent domain.
    • Maybe easier to implement, but static records "blocking" wildcards will break this assumption - and coding around that would be also adding a list of static records that are subdomains of wildcards to the list, which could result in the list being quite long. Essentially this approach requires extra legwork "re-figuring out" if a response was created by a wildcard record.

example

Hi,

I added this plugin in the end of plugins.cfg and have set

rrl . {
    responses-per-second 1
  }

I was expecting no result when simply running a couple of dig commands simultaneously, but it was all fine.
How can I confirm that the plugin works as expected?

Use of deprecated `Normalize` function

Use of Normalize should be updated per ...

[WARNING] An external plugin (/go/src/github.com/coredns/coredns/plugin/rrl/setup.go line 67) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.

How to use this when using coredns via Golang package?

The instructions for using as an external plugin with the binary coredns are helpful, but I don't see anything for how to include this (or other external packages) via the Golang package of coredns, which is what my team uses. Thanks for any help you can provide, and pointers in the right direction would be great!

question

Why is ipv4-prefix-length and ipv6-prefix-length set to defaults 24 and 56? What's the rationale there?

I know these are the BIND defaults. I can't seem to find any explanation though. Just working it backwords, one guess I have is that you assume "organizations" (like AWS for example) own entire blocks of IP addresses. That way by setting the prefix length to less than 32/64 you'd be "protecting" all of that organization's servers "better".

Configurable response categorization

Would it be reasonable to add a config option for response categorization? Like
categorize-by rtype qtype qname

The prefix of client IP will always be included in categorization list and won't be configurable.

The reason is that it might have no sense to categorize by query name if coredns is used as forwarder. Attacker can use a very long list of valid domain names and RRL will account all them differently.

Import cycle not allowed

  • Bug Report

When I try to compile coredns with rrl in plugin.cfg I get following error:

make                                                                                                                                                                                                 
go generate coredns.go
go get
go: downloading github.com/coredns/rrl v0.0.0-20221115044145-ed50446f4bae
go: added github.com/coredns/alternate v0.0.0-20230808153232-6204d80011e7
go: added github.com/coredns/rrl v0.0.0-20221115044145-ed50446f4bae
go: upgraded github.com/coreos/go-systemd/v22 v22.3.2 => v22.3.3-0.20220203105225-a9a7ef127534
CGO_ENABLED=0  go build -v -ldflags="-s -w -X github.com/coredns/coredns/coremain.GitCommit=282b2da5-dirty" -o coredns
package github.com/coredns/coredns
	imports github.com/coredns/coredns/core/plugin
	imports github.com/coredns/rrl
	imports github.com/coredns/coredns/core/plugin: import cycle not allowed
make: *** [coredns] Error 1
  • Plugin.cfg
# Directives are registered in the order they should be executed.
#
# Ordering is VERY important. Every plugin will feel the effects of all other
# plugin below (after) them during a request, but they must not care what plugin
# above them are doing.

# How to rebuild with updated plugin configurations: Modify the list below and
# run `go generate && go build`

# The parser takes the input format of:
#
#     <plugin-name>:<package-name>
# Or
#     <plugin-name>:<fully-qualified-package-name>
#
# External plugin example:
#
# log:github.com/coredns/coredns/plugin/log
# Local plugin example:
# log:log

alternate:github.com/coredns/alternate
rrl:https://github.com/elitshare/rrl
metadata:metadata
geoip:geoip
cancel:cancel
tls:tls
timeouts:timeouts
reload:reload
nsid:nsid
bufsize:bufsize
root:root
bind:bind
debug:debug
trace:trace
ready:ready
health:health
pprof:pprof
prometheus:metrics
errors:errors
log:log
dnstap:dnstap
local:local
dns64:dns64
acl:acl
any:any
chaos:chaos
loadbalance:loadbalance
tsig:tsig
cache:cache
rewrite:rewrite
header:header
dnssec:dnssec
autopath:autopath
minimal:minimal
template:template
transfer:transfer
hosts:hosts
route53:route53
azure:azure
clouddns:clouddns
k8s_external:k8s_external
kubernetes:kubernetes
file:file
auto:auto
secondary:secondary
etcd:etcd
loop:loop
forward:forward
grpc:grpc
erratic:erratic
whoami:whoami
on:github.com/coredns/caddy/onevent
sign:sign
view:view

Is Evict function testing for the wrong type?

Should this:

rrl/plugins/rrl/rrl.go

Line 100 in 1ebc54e

ra, ok := (*el).(ResponseAccount)

be

ra, ok := (*el).(*ResponseAccount)

That is, the contents of el are a pointer to a ResponseAccount?

I ran a few tests with some debugging output and I found that the !ok path was always being taken and thus the actual timeout evaluation never occurs. This makes evictions effectively always delete the first account in the shard.

Importantly, it also means that eviction always succeeds even if all accounts are still within the window size. A side effect of this is that unlock issue #36 is never triggered because eviction always succeeds. Point being, if the aforementioned bug is fixed, it'll most likely start triggering #36.

As an aside, I'm a bit surprised EvictFn uses *interface{} as this is very uncommon and rarely needed. Is there any reason why this isn't just the usual interface{}?

shard.Add() fails to call s.Unlock() if eviction fails

I was reviewing cache/cache.go and I notice that if s.evict() fails, then shard.Add() returns without calling s.Unlock() here:

rrl/plugins/rrl/cache/cache.go

Lines 161 to 162 in 1ebc54e

if !s.evict() {
return errors.New("failed to add item, shard full")

Can I suggest that the idiomatic s.Lock(); defer s.Unlock() might be a safer way of dealing with this?

As an aside, this has probably never triggered a lock stall (that is a go routine attempting to relock the same shard) because there also appears to be a bug in the eviction function registered by RRL.initTable() - which suggests to me that eviction may always succeed when sometimes it should not. I'll post a separate issue on that.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.