Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Tue, 26 Mar 2013, Matthew Petach wrote:
>
>> The concern Valdis raised about securing recursives while still
>> being able to issue static nameserver IPs to mobile devices
>> is an orthogonal problem to Owen putting rate limiters on
>> the authoritative servers for he.net.  If we're all lighting up
>> pitchforks and raising torches, I'd kinda like to know at which
>> castle we're going to go throw pitchforks.
>
>
> BCP38.  As you can see from the wandering conversation, there are many
> attack vectors that hinge on the ability to spoof the source address, and
> thereby misdirect responses to your DDoS target.  BCP38 filtering stops them
> all.  Or, we can ignore BCP38 for several more years, go on a couple years
> crusade against open recursive resolvers, then against non-rate-limited
> authoratative servers, default public RO SNMP communities, etc.
>

And I don't plan on being around doing this sort of work in another
10+ years, so let's stop farting around. :-p

- ferg

-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]