[88963] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Sun Feb 26 16:04:43 2006
Date: Sun, 26 Feb 2006 21:04:15 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <501BC2BE-764E-4CEF-89C6-449F764492FD@isc.org>
To: Joe Abley <jabley@isc.org>
Cc: bmanning@vacation.karoshi.com, Rob Thomas <robt@cymru.com>,
NANOG <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Sun, 26 Feb 2006, Joe Abley wrote:
> As a temporary mitigation tool today, when the volume of legitimate,
> large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets
> might *sound* reasonable. However, we all know how permanent
how are you certain that the udp/53 1500 byte packet is 'dns'? and not
kazaa/gnutella/bittorrent/vpn-in-udp-53 ? It seems that filtering the
TRAFFIC is short sighted on several fronts :( deciding if you will/won't
be part of the global-recursive-dns-server 'problem' is entirely different
though.
> temporary filters can be. Crippling EDNS0 transport in the future
> seems like a very high price to pay for what might be a very
> temporary, short-term reduction in attack traffic.
>
seems like global tcp/139|tcp/445 filters, or bogon filters... bits put
into configs 'now' and completely forgotten about 'tomorrow' :(
