[dns-operations] DNS deluge for x.p.ctrc.cc

Joe Greco jgreco at ns.sol.net
Mon Feb 27 15:33:01 UTC 2006


> Folks,
> 
> I think most of you are too into DNS to see the real problem and the only
> workable solution I can think of. The problem isn't DNS exploitation, it's
> tcp/ip exploitation, ie spoofed traffic.
> 
> The solution is ingress/egress filters and finding a good way to test
> netblocks to see if they are filtering for spoofed traffic originating on
> their netblock. If you can't spoof with an outside IP, the damange you can
> do is limited to the netblock you are on or at the least makes it easy to
> track back to your netblock.

Hello,

That's correct, at least in my opinion.  This should be clear from the
last few messages I've posted.

Unfortunately, specialized groups of people tend to wear colored glasses,
so the answer that the membership of dns-operations comes up with will
tend to be slanted towards a DNS-centric solution.  This is in no way a
criticism of the folks on this list, it is merely an observation of group
dynamics in general.  A mechanic's solution to bad roads is better shocks,
but the real solution is better roads.  This does not make the mechanic
bad or evil or even Wrong, it just means that the mechanic can't fix the 
road, so he focuses on what he *can* do.

There has been some discussion of shunning of open recursive nameservers,
but the end result of this is brokenness in a fundamental core Internet
service, and that's just way bad.

Are you going to shun major open recursive nameservers like the legacy 
BBN/GTE ones, which *lots* of people use?  If not, why not?  They're a
huge potential traffic source...  If a company like Rodney's were to
begin shunning such open recursers, then won't their customers start to
go to service providers who actually provide the service they're paying
for?

Collateral damage in the form of shunning open recursers sounds like a
nice idea, but it isn't really making any significant progress towards
being able to deal with the core issue of DDoS, and it breaks a whole
bunch of other useful things at the same time.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the dns-operations mailing list