[dns-operations] DNS deluge for x.p.ctrc.cc

Roland Dobbins rdobbins at cisco.com
Mon Feb 27 17:06:23 UTC 2006 

As has been pointed out before, this is precisely the same evolution  
of discourse we went through with open SMTP relays . . .

On Feb 27, 2006, at 7:33 AM, Joe Greco wrote:

>> Folks,
>>
>> I think most of you are too into DNS to see the real problem and  
>> the only
>> workable solution I can think of. The problem isn't DNS  
>> exploitation, it's
>> tcp/ip exploitation, ie spoofed traffic.
>>
>> The solution is ingress/egress filters and finding a good way to test
>> netblocks to see if they are filtering for spoofed traffic  
>> originating on
>> their netblock. If you can't spoof with an outside IP, the damange  
>> you can
>> do is limited to the netblock you are on or at the least makes it  
>> easy to
>> track back to your netblock.
>
> Hello,
>
> That's correct, at least in my opinion.  This should be clear from the
> last few messages I've posted.
>
> Unfortunately, specialized groups of people tend to wear colored  
> glasses,
> so the answer that the membership of dns-operations comes up with will
> tend to be slanted towards a DNS-centric solution.  This is in no  
> way a
> criticism of the folks on this list, it is merely an observation of  
> group
> dynamics in general.  A mechanic's solution to bad roads is better  
> shocks,
> but the real solution is better roads.  This does not make the  
> mechanic
> bad or evil or even Wrong, it just means that the mechanic can't  
> fix the
> road, so he focuses on what he *can* do.
>
> There has been some discussion of shunning of open recursive  
> nameservers,
> but the end result of this is brokenness in a fundamental core  
> Internet
> service, and that's just way bad.
>
> Are you going to shun major open recursive nameservers like the legacy
> BBN/GTE ones, which *lots* of people use?  If not, why not?  They're a
> huge potential traffic source...  If a company like Rodney's were to
> begin shunning such open recursers, then won't their customers  
> start to
> go to service providers who actually provide the service they're  
> paying
> for?
>
> Collateral damage in the form of shunning open recursers sounds like a
> nice idea, but it isn't really making any significant progress towards
> being able to deal with the core issue of DDoS, and it breaks a whole
> bunch of other useful things at the same time.
>
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http:// 
> www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance  
> [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e- 
> mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too  
> many apples.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck

More information about the dns-operations mailing list