nanog mailing list archives
Re: DNS attacks evolve
From: Paul Vixie <vixie () isc org>
Date: Sat, 09 Aug 2008 22:23:30 +0000
jgreco () ns sol net (Joe Greco) writes:
I am very, very, very disheartened to be shown to be wrong. As if 8 days wasn't bad enough, a concentrated attack has been shown to be effective in 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
that's what theory predicted. guessing a 30-or-so-bit number isn't "hard."
With modern data rates being what they are, I believe that this is still a severe operational hazard, and would like to suggest a discussion of further mitigation strategies. ...
i have two gripes here. first, can we please NOT use the nanog@ mailing list as a workshop for discussing possible DNS spoofing mitigation strategies? namedroppers () ops ietf org already has a running gun battle on that topic, and dns-operations () lists oarci net would be appropriate. but unless we're going to talk about deploying BCP38, which would be the mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog@. second, please think carefully about the word "severe". any time someone can cheerfully hammer you at full-GigE speed for 10 hours, you've got some trouble, and you'll need to monitor for those troubles. 11 seconds of 10MBit/sec fit my definition of "severe". 10 hours at 1000MBit/sec doesn't. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- DNS attacks evolve Joe Greco (Aug 09)
- Re: DNS attacks evolve Paul Vixie (Aug 09)
- Re: DNS attacks evolve Kee Hinckley (Aug 09)
- Re: DNS attacks evolve Florian Weimer (Aug 10)
- Re: DNS attacks evolve Jack Bates (Aug 11)
- Re: DNS attacks evolve Leo Bicknell (Aug 11)
- Re: DNS attacks evolve Jack Bates (Aug 11)
- Re: DNS attacks evolve Leo Bicknell (Aug 11)
- Re: DNS attacks evolve Paul Vixie (Aug 09)