nanog mailing list archives

Re: Can we not just fix it? WAS:Re: Open Resolver Problems

From: David Conrad <drc () virtualized org>
Date: Wed, 27 Mar 2013 22:27:58 -1000

On Mar 27, 2013, at 10:11 PM, Michael DeMan <nanog () deman com> wrote:

AsI think as we all know the deficiency is the design of the DNS system overall.


One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source 
addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out 
around 70 Gbps if I remember correctly. No DNS involved.

The fundamental cause and source of failure for these kinds of attacks comes from the the way the DNS (and lets not 
even get into 'valid' SSL certs) is designed.


Not really.  You're at least one layer too high.  (not even going to question what "'valid' SSL certs" have to do with 
the DNS)

It is fundamentally flawed.  I am sure there were plenty of political reasons for it to have ended up this way 
instead of being done in a more robust fashion?


I suspect if you look at the number of queries per second the best TCP stacks could handle circa mid-1980s and compare 
that number to an average UDP stack, you might see an actual reason instead of conspiracy theories.

For all the gripes and complaints - all I see is complaints of the symptoms and nobody calling out the original cause 
of the disease?


You mean connectionless datagram transmission without validation of packet source?

Regards,
-drc

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Owen DeLong (Mar 27)
    - Re: Open Resolver Problems Marco Davids (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
    - Re: Open Resolver Problems Ben Aitchison (Mar 28)
    - Re: Open Resolver Problems Jimmy Hess (Mar 29)
    - Re: Open Resolver Problems Mark Andrews (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Doug Barton (Mar 29)
    - Re: Open Resolver Problems Masataka Ohta (Mar 29)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)

(Thread continues...)