[dns-operations] DNS deluge for x.p.ctrc.cc
Brett_Watson at isc.org
Mon Feb 27 22:13:05 UTC 2006
On Feb 27, 2006, at 2:15 PM, Joe Greco wrote:
> If shunning would be effective, wouldn't it make more sense to shun
> networks that don't implement BCP38? We could fix a wide *range* of
> future attack vectors, rather than just this relatively small single
> vector that doesn't even address all of the ways to abuse DNS for this
> sort of thing.
i agree that "fixing" via filtering would solve many problems at
once, and would fix this particular issue with amplification but as
paul noted (and this has been my and many others' experience as well)
getting providers (or enterprise networks, in my own experience) to
*do* it is very, very hard. they don't have financial incentive to
do so and sometimes negative financial incentive (no staff or
expertise to deal with it).
as rodney/rob pointed out, working from the other end with the
providers that have open/recursive servers that are used in
amplification attacks (and therefore impacting them financially)
yields fairly good results.
i don't disagree with much of what you've said, but aside from the
more difficult problem of getting bcp38 implemented, you're not
proposing a workable solution either.
More information about the dns-operations