[143169] in North American Network Operators' Group
Re: DNS DoS ???
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Jul 31 20:51:12 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Mon, 1 Aug 2011 00:49:22 +0000
In-Reply-To: <20110801004232.3B159125A6CB@drugs.dv.isc.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
> Named already takes proper precautions by default. Recursive service is =
limited to directly connected networks by default. The default
> was first changed in 9.4 (2007) which is about to go end-of-life once the=
final wrap up release is done.
This alone isn't enough. There are quite a few other things folks must do =
from an architectural and operational standpoint which aren't found in name=
d.conf.
> The real problem is that many ISP's don't do effective ingress/egress fil=
tering.
Well, no. The real problem is a protocol set/implementation which lends it=
self so readily to spoofing in the first place, followed (as you say) by IS=
P/endpoint network inattention to anti-spoofing, followed by protocols whic=
h make use of the eminently-spoofable UDP for a critical service.
> This prevents compromised machines impersonating other machines.
Concur, but see above - spoofing is the symptom, not the disease.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
