"trivial" changes to DNS (was: OpenNTPProject.org)

Mark Andrews marka at isc.org
Fri Jan 17 01:03:28 UTC 2014

In message <CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw at mail.gmail.com>
, Jimmy Hess writes:
> On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka at isc.org> wrote:
> > We don't need to change transport, we don't need to port knock.  We
> > just need to implementent a slightly modified dns cookies which
> > reminds me that I need to review Donald Eastlake's new draft to be.
> >
> But a change to DNS doesn't solve the problem for the other thousand or so
> UDP-based protocols.

What thousand protocols?  There really are very few protocols widely
deployed on top of UDP.

> What would your fix be for the Chargen and SNMP protocols?

Chargen is turned off on many platforms by default.  Turn it off
on more.  Chargen loops are detectable.

SNMP doesn't need to be open to the entire world.  It's not like
authoritative DNS servers which are offering a service to everyone.

New UDP based protocols need to think about how to handle spoof

You look at providing extending routing protocols to provide
information about the legitimate source addresses that may be emitted
over a link.  SIDR should help here with authentication of the data.
This will enable better automatic filtering to be deployed.

You continue to deploy BCP38.  Every site that deploys BCD is one
less site where owened machines can be used to launch attacks from.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list