nanog mailing list archives

Re: [c-nsp] DNS amplification

From: Arturo Servin <arturo.servin () gmail com>
Date: Sun, 17 Mar 2013 19:36:30 -0300


        They should publish the spoofable AS. Not for public shame but at least
to show the netadmins that they are doing something wrong, or if they
are trying to do the good think is not working.

        Or at least a tool to check for your ASN or netblock.

/as

On 3/17/13 1:35 PM, Christopher Morrow wrote:

On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.servin () gmail com> wrote:


        Yes, BCP38 is the solution.

        Now, how widely is deployed?

        Someone said in the IEPG session during the IETF86 that 80% of the
service providers had done it?


right... sure.

        This raises two questions for me. One, is it really 80%, how to measure it?


csail had a project for a while... spoofer project?
  <http://spoofer.csail.mit.edu/>

I think the last I looked they reported ONLY 35% or so coverage of
proper filtering. Looking at:
  <http://spoofer.csail.mit.edu/summary.php>

though they report 86% non-spoofable, that seems very high to me.

        Second, if it were 80%, how come the 20% makes so much trouble and how
to encourage it to deploy BCP38?


some of the 20% seems to be very highspeed connected end hosts and at
a 70:1 amplification ratio you don't need much bandwidth to fill a 1g
pipe, eh?

-chris

        (well, actually 4 questions :)

Regards,
as

On 3/16/13 7:24 PM, Jon Lewis wrote:

On Sat, 16 Mar 2013, Robert Joosten wrote:

Hi,

Can anyone provide insight into how to defeat DNS amplification
attacks?

Restrict resolvers to your customer networks.


And deploy RPF


uRPF / BCP38 is really the only solution.  Even if we did close all the
open recursion DNS servers (which is a good idea), the attackers would
just shift to another protocol/service that provides amplification of
traffic and can be aimed via spoofed source address packets.  Going
after DNS is playing whack-a-mole.  DNS is the hip one right now.  It's
not the only one available.

Current thread:

Re: [c-nsp] DNS amplification Jon Lewis (Mar 16)
- Re: [c-nsp] DNS amplification Steven Fischer (Mar 16)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
  - Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
    - Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
    - Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
    - Re: [c-nsp] DNS amplification Jared Mauch (Mar 18)
  - Re: [c-nsp] DNS amplification Jon Lewis (Mar 17)
    - Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
    - Re: [c-nsp] DNS amplification Damian Menscher (Mar 17)
    - Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
  - Re: [c-nsp] DNS amplification Masataka Ohta (Mar 17)
    - Re: [c-nsp] DNS amplification Mark Andrews (Mar 17)
    - Re: [c-nsp] DNS amplification Masataka Ohta (Mar 17)
    - Re: [c-nsp] DNS amplification Dobbins, Roland (Mar 17)

(Thread continues...)