nanog mailing list archives
Re: [c-nsp] DNS amplification
From: Arturo Servin <arturo.servin () gmail com>
Date: Sun, 17 Mar 2013 12:33:01 -0300
Yes, BCP38 is the solution.
Now, how widely is deployed?
Someone said in the IEPG session during the IETF86 that 80% of the
service providers had done it?
This raises two questions for me. One, is it really 80%, how to measure it?
Second, if it were 80%, how come the 20% makes so much trouble and how
to encourage it to deploy BCP38?
(well, actually 4 questions :)
Regards,
as
On 3/16/13 7:24 PM, Jon Lewis wrote:
On Sat, 16 Mar 2013, Robert Joosten wrote:Hi,Can anyone provide insight into how to defeat DNS amplification attacks?Restrict resolvers to your customer networks.And deploy RPFuRPF / BCP38 is really the only solution. Even if we did close all the open recursion DNS servers (which is a good idea), the attackers would just shift to another protocol/service that provides amplification of traffic and can be aimed via spoofed source address packets. Going after DNS is playing whack-a-mole. DNS is the hip one right now. It's not the only one available.
Current thread:
- Re: [c-nsp] DNS amplification Jon Lewis (Mar 16)
- Re: [c-nsp] DNS amplification Steven Fischer (Mar 16)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Jared Mauch (Mar 18)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Jon Lewis (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Damian Menscher (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Mark Andrews (Mar 17)