[111110] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Jan 28 20:58:34 2009
To: nanog@nanog.org
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Wed, 28 Jan 2009 18:32:04 MDT."
<6.2.3.4.2.20090128182341.042ffd18@imap.ameslab.gov>
Date: Thu, 29 Jan 2009 12:58:08 +1100
Errors-To: nanog-bounces@nanog.org
The bad guys want amplification but will take obscuring
if that's all they can get.
RD=1 is only the signature of the current attack.
RD=0 is equally viable.
Can you cope with "RD=0 NS ." directed to the root servers
from forged addresses? This is exactly the query name
servers use to prime their caches with.
Stop trying to figure out how to stop the attack of the day
as it really is a waste of time and start trying to figure
out how to get near universal BCP 38 deployment.
Let the world know you are a good you if are deploying BCP
38.
Put up on your front web page what percentage of address
space / links are convered by BCP 38 compliance, where
compliance is defined as "traffic sourced from a arbitary
address will not be passed". This should be auditable.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
