[dns-operations] DNS deluge for x.p.ctrc.cc

Joe Greco jgreco at ns.sol.net
Mon Feb 27 22:04:05 UTC 2006

> Joe Greco wrote:
> >>>Both George and Joe are right. It is a problem. Still, solving one and
> >>>leaving another untended just because one was used as the attack vector
> >>>is silly. Are we to forever leave problem unattended?
> >>
> >>Gadi,
> >>
> >>I'm unclear on what you are suggesting. What problem is left unattended with
> >>DNS if you cannot spoof UDP packets?
> > 
> > 
> > It's the old
> > 
> > "We must do SOMETHING!" + "This is something" => "We must do THIS!"
> > 
> > As much as I believe in belt and suspenders, I only believe in that when
> > both the belt and the suspenders are appropriate solutions.
> Sorry Joe, I'm just not following.
> Can you explain why trying to resolve the local exploit when the attack 

Ahh, there we go, I like that.  Change the terms to suit the argument.

Open recursers are not a "local exploit."

> was facilitated by a remote exploit is not also important? Especially 
> when the remote one is relatively a whole lot more difficult?
> I am not saying band-aids are THE THING. I am saying they are THE THING 
> when you need to stop the bleeding NOW.

Well, have fun then, because you won't be stopping that bleeding anytime
soon.  There are just *TOO* *MANY* of them.  Death by a million paper cuts
or something like that.

If you want change, it's easier to target a smaller number of bigger
things (i.e. networks and their operating policies) than a huge number
of smaller things (recursers).

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list