[106452] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Matt F)
Mon Jul 28 22:44:25 2008
Date: Mon, 28 Jul 2008 22:44:10 -0400
From: Matt F <matt@credibleinstitution.org>
In-reply-to: <C4B3CD84.2F177%mksmith@adhost.com>
To: Michael Smith <mksmith@adhost.com>
Cc: Nanog <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
What would the ip-blocking BGP feed accomplish? Spoofed source
addresses are a staple of the DNS cache poisoning attack.
Worst case scenario, you've opened yourself up to a new avenue of attack
where you're nameservers are receiving spoofed packets intended to
trigger a blackhole filter, blocking communication between your network
and the legitimate owner of the forged ip address.
Michael Smith wrote:
> Hello All:
>
>
>
>> From: Paul Vixie <vixie@isc.org>
>> Date: Tue, 29 Jul 2008 01:24:43 +0000
>> To: Nanog <nanog@merit.edu>
>> Subject: Re: Great Suggestion for the DNS problem...?
>>
>> jra@baylink.com ("Jay R. Ashworth") writes:
>>
>>
>>> [ unthreaded to encourage discussion ]
>>>
>>> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
>>>
>>>> Nameservers could incorporate poison detection...
>>>>
>>>> Listen on 200 random fake ports (in addition to the true query ports);
>>>> if a response ever arrives at a fake port, then it must be an attack,
>>>> read the "identified" attack packet, log the attack event, mark the
>>>> RRs mentioned in the packet as "poison being attempted" for 6 hours;
>>>> for such domains always request and collect _two_ good responses
>>>> (instead of one), with a 60 second timeout, before caching a lookup.
>>>>
>>>> The attacker must now guess nearly 64-bits in a short amount of time,
>>>> to be successful. Once a good lookup is received, discard the normal
>>>> TTL and hold the good answer cached and immutable, for 6 hours (_then_
>>>> start decreasing the TTL normally).
>>>>
>>> Is there any reason which I'm too far down the food chain to see why
>>> that's not a fantastic idea? Or at least, something inspired by it?
>>>
>> at first glance, this is brilliant, though with some unimportant nits.
>>
>> however, since it is off-topic for nanog, i'm going to forward it to
>> the namedroppers@ops.ietf.org mailing list and make detailed comments
>> there.
>> --
>>
> Still off topic, but perhaps a BGP feed from Cymru or similar to block IP
> addresses on the list?
>
> Regards,
>
> Mike
>
>
>
>
