[161798] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Wed Mar 27 00:29:08 2013
In-Reply-To: <Pine.LNX.4.61.1303262220150.26706@soloth.lewis.org>
Date: Tue, 26 Mar 2013 19:37:05 -0700
From: Paul Ferguson <fergdawgster@gmail.com>
To: Jon Lewis <jlewis@lewis.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jlewis@lewis.org> wrote:
> On Tue, 26 Mar 2013, Matthew Petach wrote:
>
>> The concern Valdis raised about securing recursives while still
>> being able to issue static nameserver IPs to mobile devices
>> is an orthogonal problem to Owen putting rate limiters on
>> the authoritative servers for he.net. If we're all lighting up
>> pitchforks and raising torches, I'd kinda like to know at which
>> castle we're going to go throw pitchforks.
>
>
> BCP38. As you can see from the wandering conversation, there are many
> attack vectors that hinge on the ability to spoof the source address, and
> thereby misdirect responses to your DDoS target. BCP38 filtering stops them
> all. Or, we can ignore BCP38 for several more years, go on a couple years
> crusade against open recursive resolvers, then against non-rate-limited
> authoratative servers, default public RO SNMP communities, etc.
>
And I don't plan on being around doing this sort of work in another
10+ years, so let's stop farting around. :-p
- ferg
--
"Fergie", a.k.a. Paul Ferguson
fergdawgster(at)gmail.com
