DNS issues various
David G. Andersen
dga at lcs.mit.edu
Thu Oct 24 20:30:20 UTC 2002
On Thu, Oct 24, 2002 at 04:07:18PM -0400, Richard A Steenbergen mooed:
>
> We're still working on the distributed attacks, but eventually we'll come
> up with something just as effective. If it was as easy to scan for
> networks who don't spoof filter as it is to scan for networks with open
> broadcasts, I think we'd have had that problem licked too.
Are you sure?
* A smurf attack hurts the open broadcast network as much (or more)
than it does the victim. A DDoS attack from a large number
of sites need not be all that harmful to any one traffic source.
* 'no ip directed broadcast', which is becoming the default behavior
for many routers and end-systems,
vs.
'access-list 150 deny ip ... any'
'access-list 150 deny ip ... any'
...
'access-list 150 permit ip any any'
(ignoring rpf, which doesn't work for everyone).
Until the default behavior of most systems is to block spoofed packets,
it's going to remain a problem.
-Dave, whose glass is half-empty this week. :)
--
work: dga at lcs.mit.edu me: dga at pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
More information about the NANOG
mailing list