nanog mailing list archives
Re: Can we not just fix it? WAS:Re: Open Resolver Problems
From: David Conrad <drc () virtualized org>
Date: Wed, 27 Mar 2013 22:27:58 -1000
On Mar 27, 2013, at 10:11 PM, Michael DeMan <nanog () deman com> wrote:
AsI think as we all know the deficiency is the design of the DNS system overall.
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out around 70 Gbps if I remember correctly. No DNS involved.
The fundamental cause and source of failure for these kinds of attacks comes from the the way the DNS (and lets not even get into 'valid' SSL certs) is designed.
Not really. You're at least one layer too high. (not even going to question what "'valid' SSL certs" have to do with the DNS)
It is fundamentally flawed. I am sure there were plenty of political reasons for it to have ended up this way instead of being done in a more robust fashion?
I suspect if you look at the number of queries per second the best TCP stacks could handle circa mid-1980s and compare that number to an average UDP stack, you might see an actual reason instead of conspiracy theories.
For all the gripes and complaints - all I see is complaints of the symptoms and nobody calling out the original cause of the disease?
You mean connectionless datagram transmission without validation of packet source? Regards, -drc
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Jack Bates (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Owen DeLong (Mar 27)
- Re: Open Resolver Problems Marco Davids (Mar 27)
- Re: Open Resolver Problems Jared Mauch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
- Re: Open Resolver Problems Ben Aitchison (Mar 28)
- Re: Open Resolver Problems Jimmy Hess (Mar 29)
- Re: Open Resolver Problems Mark Andrews (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Dobbins, Roland (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Doug Barton (Mar 29)
- Re: Open Resolver Problems Masataka Ohta (Mar 29)
- Re: Open Resolver Problems Jared Mauch (Mar 26)