[dns-operations] DNS deluge for x.p.ctrc.cc
jgreco at ns.sol.net
Mon Feb 27 15:43:42 UTC 2006
> # > it's not about capex, it's about opex. the act of turning on BCP38-like
> # > features, training staff in how to manage and operate this feature set,
> # > finding out what customers are doing 3TCP or satellite-asymmetry and who
> # > therefore actually need to "spoof" the source addresses but who can likely
> # > be trusted to do so, is considered completely unrealistic by large ISP's.
> # So, instead of trying to repair a few thousand relatively-easily-
> # identifiable networks, it's going to be easier to try to repair a
> # million(??? wild guess) open recursers running on everything from major
> # networks (184.108.40.206-220.127.116.11, etc), down to some guy's Mac OS X laptop, down to
> # the broken proxy on a cable modem which mistakenly accepts requests on the
> # outside interface?
> that assumes a symmetric cost:benefit, which isn't present here, and assumes
> that they will in fact exert any energy to fix the laptop in question, which
> they will not.
> # What's a good incentive for cable and DSL providers to go BCP38?
> what they've told me when i complain, if they bother to reply to me at all,
> is that until their competitors are forced to endure the same assymetric
> costs for the same assymetric benefit, they will do nothing. in other words
> they are clamouring for regulation.
> shunning their networks or refusing to peer with them isn't an option, since
> the worst of them are the largest.
It's an ugly problem, but as I've said earlier, inflicting damage on DNS
to "fix" (for convenient definitions of "fix") one tiny sliver of a huge
overall problem does not strike me as a good way to spend our energies.
And let's not kid ourselves, the amount of energy needed to close off all
those recursers is *huge,* unless we get ISP's to start filtering 53 like
many do to 25...
At which point it'd be easier just to get them to do BCP38.
How about shunning open recursers at providers who don't do BCP38? There's
a certain fairness to that. 1/2 :-)
I mean, damn, how hard *is* it to turn on filtering on products which
usually implement it as a simple option?
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations