Re: DNS Amplification Attacks

[Sean Donelan <sean () donelan com>]

On Fri, 17 Mar 2006 ennova2005-nanog () yahoo com wrote:
> That ISPs still do not filter inbound traffic from their customers to
> prevent source spoofing is amazing.

Heck, some people still can't get reverse DNS setup correctly for their
IP addresses.  And in-addr.arpa has been around for decades.

> host 66.201.54.61
Host 61.54.201.66.in-addr.arpa not found: 3(NXDOMAIN)

The problem with relying on address anti-spoofing is it doesn't matter how
many ISPs prevent spoofing because it only requires one opening (plus a
bad guy, plus bad computers, plus uncontrolled reflectors).  While
its a good idea to make the spoofing openings as small as possible,
within your own network anti-spoofing is very useful, you also need
other management controls.

This goes beyond an individual protocol such as DNS.  You can generate
blowback with many different protocols.  Technology can take you only
so far, you also have to address the human element too.

1. Bad guys
2. Compromised computers (a few are really "owned" by the bad guys too)
3. Spoofable source addresses (the bad guys "own" their own ISPs too)
4. Open reflectors without rate limits