[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Mon Feb 27 14:41:41 UTC 2006 

# ] the only hint of a solution i've seen in all this so far is automated
# ] shunning of known-open-recursive + known-recent-abused name servers...
# 
# A variant of that theme would be to report these name servers through one
# of several extant mechanisms.  This has shown promise already.

My experience has been that in about 6 cases out of 9, the ISP claims that
their nameserver or their customer's nameserver is not misconfigured and so
they will not pass on the notifications, and in 2 cases out of 9, the
customer whose nameserver it is claims that they require this configuration
for their home/roaming/whatever users and that furthermore "but we've ALWAYS
done it this way!"  I guess for the sake of that one server out of 9 who is
willing to listen to reason and does not require openness as a crutch for
their other misconfigurations, it's worth notifying them.  But let's be
realistic -- 8 times out of 9 we'll be told to go pound sand out of our ass.

An even more sysuphyuan task would be to send notices of BCP38 noncompliance.
The ISP's in that case most likely won't even dignify such complaints with a
reply.  All of the worst forms of internet misconfiguration I know of are
variants of "assymetric cost:benefit", since the person paying the cost can
change nothing, and the person who has to make a change gets no benefit.  We
saw how this worked with spam sources and spam relays.  (But I digress.)

# I do agree that a feed of this information is useful, and could be used by
# folks both for alerting and for filtering.  I'd prefer to alert folks first
# in all cases, even during an attack.

That sounds implicitly modal, which sounds dangerous.  A feed of this kind
can't be turned on only during attacks, or the feed itself becomes a possible
DoS vector.  If there's going to be a feed of "open to recursion and recently
abused" nameservers, then the shunning of these servers is going to be more
or less constant.  Notification and 24 hours of grace time is a reasonable
thing to do if there's not an attack in progress, but otherwise it's got to
be simultaneous with discovery.

More information about the dns-operations mailing list