[161900] in North American Network Operators' Group
Re: Can we not just fix it? WAS:Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (David Conrad)
Thu Mar 28 04:28:12 2013
From: David Conrad <drc@virtualized.org>
In-Reply-To: <F48BEA76-643F-4B84-A05F-D5C91EF8BEC9@deman.com>
Date: Wed, 27 Mar 2013 22:27:58 -1000
To: Michael DeMan <nanog@deman.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 27, 2013, at 10:11 PM, Michael DeMan <nanog@deman.com> wrote:
> AsI think as we all know the deficiency is the design of the DNS =
system overall.
One of the largest DDoS attacks I've witnessed was SNMP-based, walking =
entire OID sub-trees (with spoofed source addresses) across thousands of =
CPEs that defaulted to allowing SNMP queries over the WAN interface. =
"Oops". Topped out around 70 Gbps if I remember correctly. No DNS =
involved.=20
> The fundamental cause and source of failure for these kinds of attacks =
comes from the the way the DNS (and lets not even get into 'valid' SSL =
certs) is designed. =20
Not really. You're at least one layer too high. (not even going to =
question what "'valid' SSL certs" have to do with the DNS)
> It is fundamentally flawed. I am sure there were plenty of political =
reasons for it to have ended up this way instead of being done in a more =
robust fashion?
I suspect if you look at the number of queries per second the best TCP =
stacks could handle circa mid-1980s and compare that number to an =
average UDP stack, you might see an actual reason instead of conspiracy =
theories.
> For all the gripes and complaints - all I see is complaints of the =
symptoms and nobody calling out the original cause of the disease?
You mean connectionless datagram transmission without validation of =
packet source?
Regards,
-drc
