[dns-operations] "US takes interest in DDoS attacks"

Paul Vixie paul at vix.com
Tue Apr 4 04:13:01 UTC 2006

rodney and i were quoted in the news regarding BCP38 today:

  But ISC president Vixie insists that this will not solve the fundamental
  issues. "It's not really going to make any difference," he said. Open DNS
  recursion isn't the problem, he said, IP address spoofing is the problem.

  "If I was in the business of attacking people, you could take away all the
  open recursive servers on the internet and I would still be able to make this
  attack sing," said Vixie. "Even if everyone took our new defaults
  tomorrow... it would still be trivially easy to launch attacks of a very
  similar nature."

  Indeed, IP address spoofing is a problem not restricted to DNS amplification
  attacks. The watershed Mafiaboy attacks against CNN and eBay in February 2000
  used a DDoS technique known as SYN-flooding, which also uses IP spoofing.

  The solution, Vixie said, is for source IP validation to be implemented by
  ISPs. The best mitigation is for broadband providers to "insist that the
  packets their customers send them are coming from address they're given, and
  not any damn IP address they like," he said.

  "It's not rocket science," he said. Source validation is featured on
  networking hardware from all the major vendors, such as Cisco and Juniper,
  Vixie said, but it is generally not turned on, despite years-old best
  practices documents saying it should be.


More information about the dns-operations mailing list