[dns-operations] DNS deluge for x.p.ctrc.cc
jgreco at ns.sol.net
Mon Feb 27 22:04:05 UTC 2006
> Joe Greco wrote:
> >>>Both George and Joe are right. It is a problem. Still, solving one and
> >>>leaving another untended just because one was used as the attack vector
> >>>is silly. Are we to forever leave problem unattended?
> >>I'm unclear on what you are suggesting. What problem is left unattended with
> >>DNS if you cannot spoof UDP packets?
> > It's the old
> > "We must do SOMETHING!" + "This is something" => "We must do THIS!"
> > As much as I believe in belt and suspenders, I only believe in that when
> > both the belt and the suspenders are appropriate solutions.
> Sorry Joe, I'm just not following.
> Can you explain why trying to resolve the local exploit when the attack
Ahh, there we go, I like that. Change the terms to suit the argument.
Open recursers are not a "local exploit."
> was facilitated by a remote exploit is not also important? Especially
> when the remote one is relatively a whole lot more difficult?
> I am not saying band-aids are THE THING. I am saying they are THE THING
> when you need to stop the bleeding NOW.
Well, have fun then, because you won't be stopping that bleeding anytime
soon. There are just *TOO* *MANY* of them. Death by a million paper cuts
or something like that.
If you want change, it's easier to target a smaller number of bigger
things (i.e. networks and their operating policies) than a huge number
of smaller things (recursers).
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations