[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Thu Mar 2 21:00:52 UTC 2006

> :-).  there is a better way, it's called universal BCP38.  the
> problem with
> that as a solution is that the folks who have to deploy BCP38 are
> not the ones
> being victimized by this attack (i.e., neither the amplifiers nor
> the targets).
> we don't get to decide, none of us, whether others will deploy
> BCP38.

Actually to some degree we do. It's like ping dampening, if the ISP or
business doesn't do it on their side the backbones can do it on theirs. IP
addresses don't move around like DNS servers can.

I mean I can tell you right now what's going to happen if we eliminate open
recursive dns, people are going to run a dns server on their own machine
(it's not like a small dns caching only server takes up much room) and then
all the desktop systems are going to start talking directly to the hints
file servers. The advantages of caching dns for thousands of desktops will
dissapear and the loads will shift upstream. It'll happen this way because
it's the easiest fix for machines that wander from zone to zone in a
wireless world.


More information about the dns-operations mailing list