[dns-operations] DNS deluge for x.p.ctrc.cc
Gadi Evron
ge at linuxbox.org
Mon Feb 27 21:19:37 UTC 2006
Joe Greco wrote:
>>Folks,
>>
>>I think most of you are too into DNS to see the real problem and the only
>>workable solution I can think of. The problem isn't DNS exploitation, it's
>>tcp/ip exploitation, ie spoofed traffic.
>>
>>The solution is ingress/egress filters and finding a good way to test
>>netblocks to see if they are filtering for spoofed traffic originating on
>>their netblock. If you can't spoof with an outside IP, the damange you can
>>do is limited to the netblock you are on or at the least makes it easy to
>>track back to your netblock.
>
>
> Hello,
>
> That's correct, at least in my opinion. This should be clear from the
> last few messages I've posted.
Both George and Joe are right. It is a problem. Still, solving one and
leaving another untended just because one was used as the attack vector
is silly. Are we to forever leave problem unattended?
Yes, spoofing is a problem.. but so are bots. Does that mean ISP's
should all harden their networks so that machines "can't" get infected?
Erm. Maybe!
I am not saying solving the one isn't important. I am saying solving the
second is just AS important. Further, the second is much easier,
relatively, short-term, as a band-aid while band-aids for spoofing
doesn't really work that well.
Band-aids don't heal a wound, but they do stop the bleeding.
Gadi.
More information about the dns-operations
mailing list