[dns-operations] DNS deluge for x.p.ctrc.cc
Paul Vixie
paul at vix.com
Mon Feb 27 00:38:56 UTC 2006
(if a postfix+mailman expert will help me get the mail.oarc.isc.org out of
this mail header in favour of lists.oarci.net, plz contact me directly.)
# #if a TLD or root name server operator decided to ignore all packets that
# #came from (known_openly_recursive&&recently_abused)
#
# I'm not sure that's the right set of servers. Verified-as-open-and-abusable
# might be necessary, whether the bad guys have gotten around to actually
# using a particular abusable server or not (given that it is trivial for a
# prospective abuser to empirically scan for and verify that given name
# servers are exploitable).
my experience at MAPS taught me a lot about getting sued, and the lesson as
it applies to this point is: no scanning, no potential. let the bad guys
find all 580K or 1M or whatever number of open recursive nameservers there
are, and rotate through them. as they are abused, they can become shunnable.
not before. not on my watch, anyway.
# Let's call it three in four name servers on average.
<wince>
you'd better not be right about THAT.
More information about the dns-operations
mailing list