[143170] in North American Network Operators' Group
Re: DNS DoS ???
daemon@ATHENA.MIT.EDU (Mark Andrews)
Sun Jul 31 22:23:13 2011
To: "Dobbins, Roland" <rdobbins@arbor.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 01 Aug 2011 00:49:22 GMT."
<AE105312-3108-4B0B-8445-7116B84EC428@arbor.net>
Date: Mon, 01 Aug 2011 12:22:01 +1000
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <AE105312-3108-4B0B-8445-7116B84EC428@arbor.net>, "Dobbins, Roland"
writes:
> On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
>
> > Named already takes proper precautions by default. Recursive service is =
> limited to directly connected networks by default. The default
> > was first changed in 9.4 (2007) which is about to go end-of-life once the=
> final wrap up release is done.
>
> This alone isn't enough. There are quite a few other things folks must do =
> from an architectural and operational standpoint which aren't found in name=
> d.conf.
>
> > The real problem is that many ISP's don't do effective ingress/egress fil=
> tering.
>
> Well, no. The real problem is a protocol set/implementation which lends it=
> self so readily to spoofing in the first place, followed (as you say) by IS=
> P/endpoint network inattention to anti-spoofing, followed by protocols whic=
> h make use of the eminently-spoofable UDP for a critical service.
And even if DNS/TCP was use by default machines can still get DoS'd
because IP is spoofable.
This one looks like a direct attack on the machine as there are
multiple source addresses rather than a reflector attack unless they
are attempting to attack thousands of sites simultaniously.
> > This prevents compromised machines impersonating other machines.
>
> Concur, but see above - spoofing is the symptom, not the disease.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> The basis of optimism is sheer terror.
>
> -- Oscar Wilde
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
