nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Mark Andrews <Mark_Andrews () isc org>
Date: Thu, 29 Jan 2009 12:58:08 +1100
The bad guys want amplification but will take obscuring if that's all they can get. RD=1 is only the signature of the current attack. RD=0 is equally viable. Can you cope with "RD=0 NS ." directed to the root servers from forged addresses? This is exactly the query name servers use to prime their caches with. Stop trying to figure out how to stop the attack of the day as it really is a waste of time and start trying to figure out how to get near universal BCP 38 deployment. Let the world know you are a good you if are deploying BCP 38. Put up on your front web page what percentage of address space / links are convered by BCP 38 compliance, where compliance is defined as "traffic sourced from a arbitary address will not be passed". This should be auditable. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org
Current thread:
- RE: cogent issues?, (continued)
- RE: cogent issues? Ryan Werber (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Florian Weimer (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. William Allen Simpson (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)