nanog mailing list archives

Re: DNS issues various

From: "David G. Andersen" <dga () lcs mit edu>
Date: Thu, 24 Oct 2002 16:30:20 -0400


On Thu, Oct 24, 2002 at 04:07:18PM -0400, Richard A Steenbergen mooed:


We're still working on the distributed attacks, but eventually we'll come 
up with something just as effective. If it was as easy to scan for 
networks who don't spoof filter as it is to scan for networks with open 
broadcasts, I think we'd have had that problem licked too.


  Are you sure? 

*  A smurf attack hurts the open broadcast network as much (or more) 
   than it does the victim.  A DDoS attack from a large number
   of sites need not be all that harmful to any one traffic source.

*  'no ip directed broadcast', which is becoming the default behavior
   for many routers and end-systems,
              vs.
   'access-list 150 deny  ip ... any'
   'access-list 150 deny  ip ... any'
   ...
   'access-list 150 permit ip any any'

   (ignoring rpf, which doesn't work for everyone).

Until the default behavior of most systems is to block spoofed packets,
it's going to remain a problem.

  -Dave, whose glass is half-empty this week. :)

-- 
work: dga () lcs mit edu                          me:  dga () pobox com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.

Current thread:

Re: How to secure the Internet in three easy steps, (continued)
- - - Re: How to secure the Internet in three easy steps Joe (Oct 27)
    - Re: How to secure the Internet in three easy steps dgold (Oct 29)
    - Re: How to secure the Internet in three easy steps Matthew S. Hallacy (Oct 27)
    - Re: How to secure the Internet in three easy steps Petri Helenius (Oct 25)
    - Re: How to secure the Internet in three easy steps batz (Oct 25)
    - Re: How to secure the Internet in three easy steps Michael Lamoureux (Oct 25)
    - Re: DNS issues various Craig Partridge (Oct 24)
    - Message not available
    - Re: DNS issues various Daniel Senie (Oct 25)
    - Re: DNS issues various dre (Oct 24)
    - Re: DNS issues various Richard A Steenbergen (Oct 24)
    - Re: DNS issues various David G. Andersen (Oct 24)
    - Re: DNS issues various Kevin Houle (Oct 24)
    - Re: DNS issues various Rob Thomas (Oct 24)
    - Re: DNS issues various Richard A Steenbergen (Oct 24)
    - Re: DNS issues various Daniel Senie (Oct 25)
    - Re: DNS issues various Randy Bush (Oct 25)
    - Re: DNS issues various Daniel Senie (Oct 25)
- Re: DNS issues various Michael . Dillon (Oct 25)