[dns-operations] DNS deluge for x.p.ctrc.cc

brett watson Brett_Watson at isc.org
Mon Feb 27 22:13:05 UTC 2006

On Feb 27, 2006, at 2:15 PM, Joe Greco wrote:

> If shunning would be effective, wouldn't it make more sense to shun
> networks that don't implement BCP38?  We could fix a wide *range* of
> future attack vectors, rather than just this relatively small single
> vector that doesn't even address all of the ways to abuse DNS for this
> sort of thing.

i agree that "fixing" via filtering would solve many problems at  
once, and would fix this particular issue with amplification but as  
paul noted (and this has been my and many others' experience as well)  
getting providers (or enterprise networks, in my own experience) to  
*do* it is very, very hard.  they don't have financial incentive to  
do so and sometimes negative financial incentive (no staff or  
expertise to deal with it).

as rodney/rob pointed out, working from the other end with the  
providers that have open/recursive servers that are used in  
amplification attacks (and therefore impacting them financially)  
yields fairly good results.

i don't disagree with much of what you've said, but aside from the  
more difficult problem of getting bcp38 implemented, you're not  
proposing a workable solution either.


More information about the dns-operations mailing list