[dns-operations] DNS deluge for x.p.ctrc.cc

Joe Greco jgreco at ns.sol.net
Mon Feb 27 12:49:28 UTC 2006

> # If that's the case, wouldn't it be a better idea to find a way to deal
> # with operators who didn't implement BCP38?  I mean, really...  this is
> # 2006.  Even if you can't do it on that upstream OC192 because your
> # hardware won't hack it, surely you can do it at the customer border...
> # which would cut off a huge portion of the infected PC's out there.
> it's not about capex, it's about opex.  the act of turning on BCP38-like
> features, training staff in how to manage and operate this feature set,
> finding out what customers are doing 3TCP or satellite-asymmetry and who
> therefore actually need to "spoof" the source addresses but who can likely
> be trusted to do so, is considered completely unrealistic by large ISP's.

So, instead of trying to repair a few thousand relatively-easily-
identifiable networks, it's going to be easier to try to repair a
million(??? wild guess) open recursers running on everything from
major networks (, etc), down to some guy's Mac OS X
laptop, down to the broken proxy on a cable modem which mistakenly
accepts requests on the outside interface?

> in 2002 i wrote <http://www.icann.org/committees/security/sac004.txt> and
> in 2003 <http://www.cctec.com/maillists/nanog/historical/0306/msg00498.html>
> and i forget how many other times and places i've bleated about BCP38 and
> the implied "an armed society is a polite society" routing paradigm in use
> on the internet and how dangerous it all is.  further suggestions welcomed!

I know you've been fighting the good fight.

I guess the only suggestion I have is this:  I realize that some large
ISP's like to think it is completely unrealistic to filter their 
customers.  I had previously been under the impression that this was
typically Cogent-like providers of backbone connectivity, no real
funding to do a lot of busywork, but I've been told that in some places
that even cable and DSL providers like to use this excuse, and I'm
guessing that the vast majority of infected end-user nodes show up on
them (I'm sure Gadi or someone will have something to say about that).

That seems fairly ridiculous to me; the number of consumer-grade ISP
customers who legitimately have a need to pipe in such traffic is
vanishingly small, and of those, even they could be filtered so that
the authorized additional address space was allowed.

This gets back to my old gripe about "the Windows generation"...  the
fact that your program compiles and runs and outputs some data does
not make it correct.  Is it robust?  Does it handle errors?  etc.  It
seems that we now have a generation of networks built in the same
manner...  people keep hooking up wires and typing configs until it
(just barely) works, and then "oh look it's all done, I can connect" ...

What's a good incentive for cable and DSL providers to go BCP38?

Start small...  shoot for the larger networks later...  best I can
think of.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list