[dns-operations] DNS Amplification Attacks
simon at limmat.switch.ch
Wed Mar 22 06:29:36 UTC 2006
>> however, it's a silly world. in this silly world, there is no way
>> that the non-BCP38 networks who are at the root of the problem will
>> ever feel any of the pain they cause.
> Why, because we don't have a good way to test them? Ok how about this. Put
> up a website amispoofproof.com and create an executable (I don't think it
> can be done in java) that spoofs a UDP packet back to the source with the
> actual IP as the data in the packet as a way to have users test their ISP to
> see if they are spoofproof or not? The site logs the data so it can be used
> to tell what AS's are and aren't BCP38.
Some of this has been done here:
They even detect various levels of spoofability. Unfortunately they
don't publish which ASes allow spoofing. I tested my home (Cable) ISP
and, sure enough, they fail to implement BCP38. Last week I wanted to
re-test, but the system was broken. Researchers understandably tend
to consider their work done once the paper is published, but maybe
someone else could take this up and provide a service as you suggest.
> The big websites are quite vulnerable to these attacks so perhaps a
> few of them would be willing to help raise awareness of this test
> site and help make the public aware that this is a security
> issue. Let the netizens test the net for you. W2K and Linux clients
> should be easy since they have raw sockets and we can have Steve
> "who needs raw sockets" Gibson code up one for XP.
> Make BCP38 a security issue in the eyes of the public and giving the
> public the tools to test their ISP themselves. Tickle the non
> compliant ISP in a very soft spot, their marketing
> departments. Security is a checkbox item nowadays remember?
Yes, but not other people's security, only one's own. I doubt that
many people who tender for connectivity consider the presence of
ingress filtering something worth paying for.
I do have great sympathy with your approach.
Getting more ISPs to implement BCP38 would be very useful.
> We don't have to blacklist or do anything that might inconvience the
> public, all we have to do is make some noise. Once most of the net
> is done then we can take on a blacklist strategy for the remainder.
Get the media interested. That will be the only thing I can imagine
(short of outright regulation) that will make large providers invest
resources in this.
More information about the dns-operations