[dns-operations] "US takes interest in DDoS attacks"
paul at vix.com
Tue Apr 4 04:13:01 UTC 2006
rodney and i were quoted in the news regarding BCP38 today:
But ISC president Vixie insists that this will not solve the fundamental
issues. "It's not really going to make any difference," he said. Open DNS
recursion isn't the problem, he said, IP address spoofing is the problem.
"If I was in the business of attacking people, you could take away all the
open recursive servers on the internet and I would still be able to make this
attack sing," said Vixie. "Even if everyone took our new defaults
tomorrow... it would still be trivially easy to launch attacks of a very
Indeed, IP address spoofing is a problem not restricted to DNS amplification
attacks. The watershed Mafiaboy attacks against CNN and eBay in February 2000
used a DDoS technique known as SYN-flooding, which also uses IP spoofing.
The solution, Vixie said, is for source IP validation to be implemented by
ISPs. The best mitigation is for broadband providers to "insist that the
packets their customers send them are coming from address they're given, and
not any damn IP address they like," he said.
"It's not rocket science," he said. Source validation is featured on
networking hardware from all the major vendors, such as Cisco and Juniper,
Vixie said, but it is generally not turned on, despite years-old best
practices documents saying it should be.
More information about the dns-operations