[c-nsp] DNS amplification
Arturo Servin
arturo.servin at gmail.com
Sun Mar 17 22:36:30 UTC 2013
They should publish the spoofable AS. Not for public shame but at least
to show the netadmins that they are doing something wrong, or if they
are trying to do the good think is not working.
Or at least a tool to check for your ASN or netblock.
/as
On 3/17/13 1:35 PM, Christopher Morrow wrote:
> On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.servin at gmail.com> wrote:
>>
>> Yes, BCP38 is the solution.
>>
>> Now, how widely is deployed?
>>
>> Someone said in the IEPG session during the IETF86 that 80% of the
>> service providers had done it?
>
> right... sure.
>
>> This raises two questions for me. One, is it really 80%, how to measure it?
>>
>
> csail had a project for a while... spoofer project?
> <http://spoofer.csail.mit.edu/>
>
> I think the last I looked they reported ONLY 35% or so coverage of
> proper filtering. Looking at:
> <http://spoofer.csail.mit.edu/summary.php>
>
> though they report 86% non-spoofable, that seems very high to me.
>
>> Second, if it were 80%, how come the 20% makes so much trouble and how
>> to encourage it to deploy BCP38?
>
> some of the 20% seems to be very highspeed connected end hosts and at
> a 70:1 amplification ratio you don't need much bandwidth to fill a 1g
> pipe, eh?
>
> -chris
>
>> (well, actually 4 questions :)
>>
>> Regards,
>> as
>>
>> On 3/16/13 7:24 PM, Jon Lewis wrote:
>>> On Sat, 16 Mar 2013, Robert Joosten wrote:
>>>
>>>> Hi,
>>>>
>>>>>> Can anyone provide insight into how to defeat DNS amplification
>>>>>> attacks?
>>>>> Restrict resolvers to your customer networks.
>>>>
>>>> And deploy RPF
>>>
>>> uRPF / BCP38 is really the only solution. Even if we did close all the
>>> open recursion DNS servers (which is a good idea), the attackers would
>>> just shift to another protocol/service that provides amplification of
>>> traffic and can be aimed via spoofed source address packets. Going
>>> after DNS is playing whack-a-mole. DNS is the hip one right now. It's
>>> not the only one available.
>>
More information about the NANOG
mailing list