nanog mailing list archives
Re: Great Suggestion for the DNS problem...?
From: Matt F <matt () credibleinstitution org>
Date: Mon, 28 Jul 2008 22:44:10 -0400
What would the ip-blocking BGP feed accomplish? Spoofed source addresses are a staple of the DNS cache poisoning attack. Worst case scenario, you've opened yourself up to a new avenue of attack where you're nameservers are receiving spoofed packets intended to trigger a blackhole filter, blocking communication between your network and the legitimate owner of the forged ip address.
Michael Smith wrote:
Hello All:From: Paul Vixie <vixie () isc org> Date: Tue, 29 Jul 2008 01:24:43 +0000 To: Nanog <nanog () merit edu> Subject: Re: Great Suggestion for the DNS problem...? jra () baylink com ("Jay R. Ashworth") writes:[ unthreaded to encourage discussion ] On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:Nameservers could incorporate poison detection... Listen on 200 random fake ports (in addition to the true query ports); if a response ever arrives at a fake port, then it must be an attack, read the "identified" attack packet, log the attack event, mark the RRs mentioned in the packet as "poison being attempted" for 6 hours; for such domains always request and collect _two_ good responses (instead of one), with a 60 second timeout, before caching a lookup. The attacker must now guess nearly 64-bits in a short amount of time, to be successful. Once a good lookup is received, discard the normal TTL and hold the good answer cached and immutable, for 6 hours (_then_ start decreasing the TTL normally).Is there any reason which I'm too far down the food chain to see why that's not a fantastic idea? Or at least, something inspired by it?at first glance, this is brilliant, though with some unimportant nits. however, since it is off-topic for nanog, i'm going to forward it to the namedroppers () ops ietf org mailing list and make detailed comments there. --Still off topic, but perhaps a BGP feed from Cymru or similar to block IP addresses on the list? Regards, Mike
Current thread:
- Re: Great Suggestion for the DNS problem...?, (continued)
- Re: Great Suggestion for the DNS problem...? Colin Alston (Jul 29)
- Re: Great Suggestion for the DNS problem...? Laurence F. Sheldon, Jr. (Jul 29)
- Re: Great Suggestion for the DNS problem...? Steven M. Bellovin (Jul 29)
- Re: Great Suggestion for the DNS problem...? Mohacsi Janos (Jul 29)
- Re: Great Suggestion for the DNS problem...? Mikael Abrahamsson (Jul 29)
- Re: Great Suggestion for the DNS problem...? Laird Popkin (Jul 29)
- Re: Great Suggestion for the DNS problem...? Michael Smith (Jul 28)
- Re: Great Suggestion for the DNS problem...? Matt F (Jul 28)
- Re: Great Suggestion for the DNS problem...? Randy Bush (Jul 29)
- Re: Great Suggestion for the DNS problem...? Florian Weimer (Jul 29)