nanog mailing list archives
Re: DNS DoS ???
From: Mark Andrews <marka () isc org>
Date: Mon, 01 Aug 2011 12:22:01 +1000
In message <AE105312-3108-4B0B-8445-7116B84EC428 () arbor net>, "Dobbins, Roland" writes:
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:Named already takes proper precautions by default. Recursive service is =limited to directly connected networks by default. The defaultwas first changed in 9.4 (2007) which is about to go end-of-life once the=final wrap up release is done. This alone isn't enough. There are quite a few other things folks must do = from an architectural and operational standpoint which aren't found in name= d.conf.The real problem is that many ISP's don't do effective ingress/egress fil=tering. Well, no. The real problem is a protocol set/implementation which lends it= self so readily to spoofing in the first place, followed (as you say) by IS= P/endpoint network inattention to anti-spoofing, followed by protocols whic= h make use of the eminently-spoofable UDP for a critical service.
And even if DNS/TCP was use by default machines can still get DoS'd because IP is spoofable. This one looks like a direct attack on the machine as there are multiple source addresses rather than a reflector attack unless they are attempting to attack thousands of sites simultaniously.
This prevents compromised machines impersonating other machines.Concur, but see above - spoofing is the symptom, not the disease. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- RE: DNS DoS ???, (continued)
- RE: DNS DoS ??? Jon Lewis (Jul 30)
- RE: DNS DoS ??? Alex Nderitu (Jul 30)
- Re: DNS DoS ??? John Adams (Jul 30)
- Re: DNS DoS ??? Mike Sabbota (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)