nanog mailing list archives

Re: DNS was Re: Internet Vulnerabilities

From: Paul Vixie <paul () vix com>
Date: Fri, 05 Jul 2002 10:15:26 -0700

... beyond that, security and anycast don't mix well without the data
being authenticated, e.g. dnssec.


i won't disagree.  anycast's cost:benefit analysis is compellingly against
its use in most situations.  root name service may be one of them.  now, if
the ops community can figure out a way to secure the edge->core boundary
such that packets heard by a DDoS victim will have reasonable IP source
addresses, then that would be better overall.  however, in the 36 hours
since i last cleared the ipfw stats on c.root-servers.net, i see:

  packets      bytes                  rule

 938231392  60808555788 pipe 1 udp from any to any 53 in
  48248328   2919355408 deny ip from 192.168.0.0/16 to any in
  34199691   2254707782 deny ip from 10.0.0.0/8 to any in
  16030262   1061648337 deny ip from 172.16.0.0/12 to any in

and so i don't see much chance that IP source addresses will be believable
any time during the working lives of anyone now reading this.  i also think
the likelihood of wide scale dnssec deployment within the next year or two
is two orders of magnitude lower than the likelihood of a DDoS against the
root server system.  "more later."

Current thread:

DNS was Re: Internet Vulnerabilities Simon Waters (Jul 05)
- Re: DNS was Re: Internet Vulnerabilities E.B. Dreger (Jul 05)
- Re: DNS was Re: Internet Vulnerabilities Måns Nilsson (Jul 15)
  - Re: DNS was Re: Internet Vulnerabilities Brad Knowles (Jul 15)
- <Possible follow-ups>
- Re: DNS was Re: Internet Vulnerabilities Randy Bush (Jul 05)
  - Re: DNS was Re: Internet Vulnerabilities Paul Vixie (Jul 05)