funsec mailing list archives

Re: UltraDNS: Internet Security Shield?

From: Tim Wilde <twilde () dyndns com>
Date: Wed, 19 Oct 2005 12:56:06 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 19 Oct 2005, Jordan Wiens wrote:

That's why I quoted their summary -- they appear to make that claim:
"In the event of a DDoS attack on the public Internet or other networkfailure, DNS Shield partner customers' queries are isolated from the effectsand continue to be resolved locally ensuring domains powered by UltraDNS are100% accessible."
My point is that those domains are not necessarily 100% accessible. They maybe 100% resolvable, but it's not the same thing.

Full disclosure: I'm founder/part owner of another DNS provider; somewould argue we compete with UltraDNS, some would argue we don't.

I read the articles about this differently than everyone else seems to beinterpreting them. Most people are looking at it as "fine, they'll answerall the DNS queries, but who cares if the site isn't up", and, if that'sthe case, I agree, it is kind of a moot point. However, these paragraphsjumped out at me when I read the release:

"The DNS Shield protects against these and other attacks by integratingUltraDNS servers directly into the infrastructure of its Internet serviceproviders.

This creates totally protected environments where only authenticated userqueries are answered and that eliminates the external data blitzes thatcan shut down networks and Web sites, the company said."

Reading this as a DNS guy, I understood it to mean that the DNS serverswill actually somehow differentiate the DNS queries coming from theattacking hosts, and NOT answer them, making it impossible for theattackers to resolve the site being attacked, and allowing the site toreally remain fully up and running, for EVERYONE. (Except the attackingmachines, of course.)

It could mean something entirely different than either one of those views,of course. We just don't know, because all we know is the marketinginformation. So, as Paul said, let's give Rodney some courtesy and thebenefit of the doubt. Buy it and see! :)


Tim Wilde

- --Tim Wilde

twilde () dyndns com
Systems Administrator
Dynamic Network Services, Inc.
http://www.dyndns.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFDVnqnT9UHzqLr6x4RAu8RAKCFMa+tw91CO8zIhsyP58G0Vda+9gCeP7St
Oj6wJOu8lfv1w4PJjqhTcqw=
=3kPq
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

UltraDNS: Internet Security Shield? Fergie (Paul Ferguson) (Oct 18)
- Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 18)
  - Re: UltraDNS: Internet Security Shield? David Dagon (Oct 18)
    - Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 18)
    - Re: UltraDNS: Internet Security Shield? David Ulevitch (Oct 18)
    - Re: UltraDNS: Internet Security Shield? Paul Vixie (Oct 18)
  - Re: UltraDNS: Internet Security Shield? John Payne (Oct 18)
    - Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 19)
    - Re: UltraDNS: Internet Security Shield? Tim Wilde (Oct 19)
    - RE: UltraDNS: Internet Security Shield? Aditya Deshmukh (Oct 19)
    - Re: UltraDNS: Internet Security Shield? Paul Vixie (Oct 19)
    - Re: UltraDNS: Internet Security Shield? John Payne (Oct 19)
- Re: UltraDNS: Internet Security Shield? Florian Weimer (Oct 18)