[dns-operations] DNS deluge for x.p.ctrc.cc

Gadi Evron ge at linuxbox.org
Mon Feb 27 21:19:37 UTC 2006


Joe Greco wrote:
>>Folks,
>>
>>I think most of you are too into DNS to see the real problem and the only
>>workable solution I can think of. The problem isn't DNS exploitation, it's
>>tcp/ip exploitation, ie spoofed traffic.
>>
>>The solution is ingress/egress filters and finding a good way to test
>>netblocks to see if they are filtering for spoofed traffic originating on
>>their netblock. If you can't spoof with an outside IP, the damange you can
>>do is limited to the netblock you are on or at the least makes it easy to
>>track back to your netblock.
> 
> 
> Hello,
> 
> That's correct, at least in my opinion.  This should be clear from the
> last few messages I've posted.

Both George and Joe are right. It is a problem. Still, solving one and 
leaving another untended just because one was used as the attack vector 
is silly. Are we to forever leave problem unattended?

Yes, spoofing is a problem.. but so are bots. Does that mean ISP's 
should all harden their networks so that machines "can't" get infected?

Erm. Maybe!

I am not saying solving the one isn't important. I am saying solving the 
second is just AS important. Further, the second is much easier, 
relatively, short-term, as a band-aid while band-aids for spoofing 
doesn't really work that well.

Band-aids don't heal a wound, but they do stop the bleeding.

	Gadi.



More information about the dns-operations mailing list