DNS attacks evolve

Paul Vixie vixie at isc.org
Sat Aug 9 17:23:30 CDT 2008

jgreco at ns.sol.net (Joe Greco) writes:

> I am very, very, very disheartened to be shown to be wrong.  As if 8 days
> wasn't bad enough, a concentrated attack has been shown to be effective in
> 10 hours.  See http://www.nytimes.com/2008/08/09/technology/09flaw.html

that's what theory predicted.  guessing a 30-or-so-bit number isn't "hard."

> With modern data rates being what they are, I believe that this is still a
> severe operational hazard, and would like to suggest a discussion of further
> mitigation strategies.
> ...

i have two gripes here.  first, can we please NOT use the [email protected] mailing
list as a workshop for discussing possible DNS spoofing mitigation
strategies?  namedroppers at ops.ietf.org already has a running gun battle
on that topic, and dns-operations at lists.oarci.net would be appropriate.

but unless we're going to talk about deploying BCP38, which would be the
mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog at .

second, please think carefully about the word "severe".  any time someone
can cheerfully hammer you at full-GigE speed for 10 hours, you've got some
trouble, and you'll need to monitor for those troubles.  11 seconds of
10MBit/sec fit my definition of "severe".  10 hours at 1000MBit/sec doesn't.
Paul Vixie

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the NANOG mailing list