[161485] in North American Network Operators' Group
Re: [c-nsp] DNS amplification
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sun Mar 17 12:35:31 2013
In-Reply-To: <5145E22D.20305@gmail.com>
Date: Sun, 17 Mar 2013 12:35:17 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Arturo Servin <arturo.servin@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
>
> Yes, BCP38 is the solution.
>
> Now, how widely is deployed?
>
> Someone said in the IEPG session during the IETF86 that 80% of the
> service providers had done it?
right... sure.
> This raises two questions for me. One, is it really 80%, how to measure it?
>
csail had a project for a while... spoofer project?
<http://spoofer.csail.mit.edu/>
I think the last I looked they reported ONLY 35% or so coverage of
proper filtering. Looking at:
<http://spoofer.csail.mit.edu/summary.php>
though they report 86% non-spoofable, that seems very high to me.
> Second, if it were 80%, how come the 20% makes so much trouble and how
> to encourage it to deploy BCP38?
some of the 20% seems to be very highspeed connected end hosts and at
a 70:1 amplification ratio you don't need much bandwidth to fill a 1g
pipe, eh?
-chris
> (well, actually 4 questions :)
>
> Regards,
> as
>
> On 3/16/13 7:24 PM, Jon Lewis wrote:
>> On Sat, 16 Mar 2013, Robert Joosten wrote:
>>
>>> Hi,
>>>
>>>>> Can anyone provide insight into how to defeat DNS amplification
>>>>> attacks?
>>>> Restrict resolvers to your customer networks.
>>>
>>> And deploy RPF
>>
>> uRPF / BCP38 is really the only solution. Even if we did close all the
>> open recursion DNS servers (which is a good idea), the attackers would
>> just shift to another protocol/service that provides amplification of
>> traffic and can be aimed via spoofed source address packets. Going
>> after DNS is playing whack-a-mole. DNS is the hip one right now. It's
>> not the only one available.
>
