Open Resolver Problems
Alain Hebert
ahebert at pubnix.net
Wed Mar 27 12:20:05 UTC 2013
Same ol' same ol'
(at least since I started this around '93 =D)
On 03/26/13 22:25, Jon Lewis wrote:
> On Tue, 26 Mar 2013, Matthew Petach wrote:
>
>> The concern Valdis raised about securing recursives while still
>> being able to issue static nameserver IPs to mobile devices
>> is an orthogonal problem to Owen putting rate limiters on
>> the authoritative servers for he.net. If we're all lighting up
>> pitchforks and raising torches, I'd kinda like to know at which
>> castle we're going to go throw pitchforks.
>
> BCP38. As you can see from the wandering conversation, there are many
> attack vectors that hinge on the ability to spoof the source address,
> and thereby misdirect responses to your DDoS target. BCP38 filtering
> stops them all. Or, we can ignore BCP38 for several more years, go on
> a couple years crusade against open recursive resolvers, then against
> non-rate-limited authoratative servers, default public RO SNMP
> communities, etc.
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> | therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
IP Spoofing still exists because of lazy Peers...
Same as the ability to hijack a subnet with BGP... ( *wave* DoD
from 2-3 weeks ago )
But, as always, its our responsibility to kill our infrastructure,
was IRC Servers in the past, now DNS Servers...
Just for those lazy Peers to not HAVE to fix their broken setup.
Same ol', same ol'.
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
More information about the NANOG
mailing list