[dns-operations] DNS deluge for x.p.ctrc.cc
rdobbins at cisco.com
Mon Feb 27 17:06:23 UTC 2006
As has been pointed out before, this is precisely the same evolution
of discourse we went through with open SMTP relays . . .
On Feb 27, 2006, at 7:33 AM, Joe Greco wrote:
>> I think most of you are too into DNS to see the real problem and
>> the only
>> workable solution I can think of. The problem isn't DNS
>> exploitation, it's
>> tcp/ip exploitation, ie spoofed traffic.
>> The solution is ingress/egress filters and finding a good way to test
>> netblocks to see if they are filtering for spoofed traffic
>> originating on
>> their netblock. If you can't spoof with an outside IP, the damange
>> you can
>> do is limited to the netblock you are on or at the least makes it
>> easy to
>> track back to your netblock.
> That's correct, at least in my opinion. This should be clear from the
> last few messages I've posted.
> Unfortunately, specialized groups of people tend to wear colored
> so the answer that the membership of dns-operations comes up with will
> tend to be slanted towards a DNS-centric solution. This is in no
> way a
> criticism of the folks on this list, it is merely an observation of
> dynamics in general. A mechanic's solution to bad roads is better
> but the real solution is better roads. This does not make the
> bad or evil or even Wrong, it just means that the mechanic can't
> fix the
> road, so he focuses on what he *can* do.
> There has been some discussion of shunning of open recursive
> but the end result of this is brokenness in a fundamental core
> service, and that's just way bad.
> Are you going to shun major open recursive nameservers like the legacy
> BBN/GTE ones, which *lots* of people use? If not, why not? They're a
> huge potential traffic source... If a company like Rodney's were to
> begin shunning such open recursers, then won't their customers
> start to
> go to service providers who actually provide the service they're
> Collateral damage in the form of shunning open recursers sounds like a
> nice idea, but it isn't really making any significant progress towards
> being able to deal with the core issue of DDoS, and it breaks a whole
> bunch of other useful things at the same time.
> ... JG
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://
> "We call it the 'one bite at the apple' rule. Give me one chance
> [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-
> mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too
> many apples.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
More information about the dns-operations