[106453] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Brian Dickson)
Mon Jul 28 23:01:32 2008
Date: Tue, 29 Jul 2008 04:00:57 +0100
From: Brian Dickson <briand@ca.afilias.info>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <alpine.LSU.1.00.0803311450040.8138@hermes-1.csi.cam.ac.uk>
X-SA-Exim-Mail-From: briand@ca.afilias.info
Errors-To: nanog-bounces@nanog.org
> What would the ip-blocking BGP feed accomplish? Spoofed source
> addresses are a staple of the DNS cache poisoning attack.
> Worst case scenario, you've opened yourself up to a new avenue of
> attack where you're nameservers are receiving spoofed packets intended
> to trigger a blackhole filter, blocking communication between your
> network and the legitimate owner of the forged ip address.
>
Yes, but what about blocking the addresses of recursive resolvers that
are not yet patched?
That would certainly stop them from being poisoned, and incent their
owners to patch...
1/2 :-)
Brian
> Michael Smith wrote:
>
> Still off topic, but perhaps a BGP feed from Cymru or similar to
> block IP
> addresses on the list?
>
> Regards,
>
> Mike
