[dns-operations] DNS deluge for x.p.ctrc.cc
jgreco at ns.sol.net
Mon Feb 27 21:29:17 UTC 2006
> On Mon, Feb 27, 2006 at 03:08:00PM -0600, Rob Thomas wrote:
> > That's not a risk, it's a given. :) The miscreants will find new
> > ways regardless of our response. In general they modify their
> > tactics based on what other miscreants do against them.
> Right, I should have stated that better. What I'm more worried about
> is that a response -- shunning or anything else -- causes the
> attackers to do something that's both worse, and harder to fix. As
> someone else pointed out in this thread, blocking SMTP relays didn't
> work, and now we not only have a continued deluge of spam, but a big
> whack of people out there who have an interest (i.e. a financial one)
> in writing and releasing Trojan horse programs. Given the choice,
> I'd rather have the open relay problem. (But of course, I don't have
> any magic answers as to what would be worse, or harder to fix,
Yeah, pointing at "no more SMTP relays!" as a success story is nice,
except that it was not a success story (as noted).
In the long run, the real issue is that we can keep closing off useful
services. This year it's DNS. Next year someone finds a new bug in
ping. After that, a way to kill traceroute. Each and every time we
take a step down this road, we are killing off tools and techniques that
are helpful to debugging the Internet. Is that good or bad?
If we *really* need to take such a step and the result is a *meaningful*
return, then it probably needs to happen.
But what's going to happen here is that the attackers will merely change
to another successful technology that relies on the absence of BCP38 (it
seems like all the really fun stuff relies on that... I've got a Dilbert
story to tell if anyone cares)
If you're so desperate to fix this that you're willing to shun people at
the DNS level, well, for heaven's sake, start shunning requests from
networks that don't implement BCP38.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations