Tightened DNS security question re: DNS amplification attacks.
William Allen Simpson
william.allen.simpson at gmail.com
Wed Jan 28 17:50:15 CST 2009
Paul Vixie wrote:
> have been able to bind a reputation to an IP address and act in some way based
> on that reputation because TCP more or less requires that a real IP address
> be used. we're seeing cracks at the edges of this model now, because so many
> core routers have login: cisco; password: cisco, and it's now trivial for any
> spammer to inject BGP that either lights up unallocated space or cuts out a
> piece of somebody else's allocated block. this makes it possible to very
> temporarily and untraceably speak TCP from addresses that have no reputation
> (if they're unallocated) or that have a good reputation (if they're cutouts).
> i've pondered whether a network reputation service based on morality rather
> than behaviour could possibly work.
> ... would anyone be willing to deny service to them -- to paint
> them as having a negative reputation even though their "sin" is laziness or
> cluelessness rather than malevolent intent?
Yes, I've long been an advocate. Heck, the entire community had to take this
approach temporarily to slow/stop 2 worms (so far), because the damage was so
great that we couldn't operate otherwise.
However, I'd argue semantically that this is "behaviour" as well -- under a
negligence or attractive nuisance doctrine.
My previous solution involved extensive AUPs, but over time I've found AUPs
to be almost entirely unenforcible. Action turns out to be very expensive,
courts don't understand them, and are reluctant to support the "outsider"
ISP over their small business that belongs to the local chamber.
I was pleased by community action for de-peering this last year, although it
took several years of mounting evidence and national media exposure.
Do we need a law?
More information about the NANOG