[88947] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Joe Provo)
Sat Feb 25 11:25:13 2006
Date: Sat, 25 Feb 2006 11:24:46 -0500
From: Joe Provo <nanog-post@rsuc.gweep.net>
To: NANOG <nanog@merit.edu>
Reply-To: nanog-post@rsuc.gweep.net
In-Reply-To: <20060225084101.GD12328@vacation.karoshi.com.>
Errors-To: owner-nanog@merit.edu
On Sat, Feb 25, 2006 at 08:41:01AM +0000, bmanning@vacation.karoshi.com wrote:
> robt wrote:
[snip]
> > Limit recursion to trusted netblocks and customers. Do not permit
> > your name servers to provide recursion for the world. If you do,
> > you will contribute to one of these attacks.
>
> <recursion is a fundamental DNS design feature,
> restricting it to "walled gardens" cripples its usefullness>
The bad guys abused open SMTP relaying and we couldn't use it anymore.*
They've moved to the next thing that is widely open and will be abusable
for a long time while some folks clamp down quickly, others argue against
it, etc. Until we can factor out the bad guys, the diminishing returns
on playing whack-a-mole will force us all to install more functional
equivalent of signs saying "restrooms are for customers only". And no
I don't like it either.
Cheers,
Joe
* well, except those who wish to be marginalized.
--
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
