[106683] in North American Network Operators' Group
Re: DNS attacks evolve
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sat Aug 9 18:23:52 2008
To: jgreco@ns.sol.net (Joe Greco), nanog@merit.edu
From: Paul Vixie <vixie@isc.org>
Date: Sat, 09 Aug 2008 22:23:30 +0000
In-Reply-To: <200808092102.m79L2ZNj031860@aurora.sol.net> (Joe Greco's message
of "Sat\, 9 Aug 2008 16\:02\:35 -0500 \(CDT\)")
X-Vix-MailScanner-From: vixie@isc.org
Errors-To: nanog-bounces@nanog.org
jgreco@ns.sol.net (Joe Greco) writes:
> I am very, very, very disheartened to be shown to be wrong. As if 8 days
> wasn't bad enough, a concentrated attack has been shown to be effective in
> 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
that's what theory predicted. guessing a 30-or-so-bit number isn't "hard."
> With modern data rates being what they are, I believe that this is still a
> severe operational hazard, and would like to suggest a discussion of further
> mitigation strategies.
> ...
i have two gripes here. first, can we please NOT use the nanog@ mailing
list as a workshop for discussing possible DNS spoofing mitigation
strategies? namedroppers@ops.ietf.org already has a running gun battle
on that topic, and dns-operations@lists.oarci.net would be appropriate.
but unless we're going to talk about deploying BCP38, which would be the
mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog@.
second, please think carefully about the word "severe". any time someone
can cheerfully hammer you at full-GigE speed for 10 hours, you've got some
trouble, and you'll need to monitor for those troubles. 11 seconds of
10MBit/sec fit my definition of "severe". 10 hours at 1000MBit/sec doesn't.
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
