[dns-operations] DNS Amplification Attacks

Simon Leinen simon at limmat.switch.ch
Wed Mar 22 06:29:36 UTC 2006

Geo writes:
>[Paul Vixie:]
>> however, it's a silly world.  in this silly world, there is no way
>> that the non-BCP38 networks who are at the root of the problem will
>> ever feel any of the pain they cause.

> Why, because we don't have a good way to test them? Ok how about this. Put
> up a website amispoofproof.com and create an executable (I don't think it
> can be done in java) that spoofs a UDP packet back to the source with the
> actual IP as the data in the packet as a way to have users test their ISP to
> see if they are spoofproof or not? The site logs the data so it can be used
> to tell what AS's are and aren't BCP38.

Some of this has been done here:


They even detect various levels of spoofability.  Unfortunately they
don't publish which ASes allow spoofing.  I tested my home (Cable) ISP
and, sure enough, they fail to implement BCP38.  Last week I wanted to
re-test, but the system was broken.  Researchers understandably tend
to consider their work done once the paper is published, but maybe
someone else could take this up and provide a service as you suggest.

> The big websites are quite vulnerable to these attacks so perhaps a
> few of them would be willing to help raise awareness of this test
> site and help make the public aware that this is a security
> issue. Let the netizens test the net for you. W2K and Linux clients
> should be easy since they have raw sockets and we can have Steve
> "who needs raw sockets" Gibson code up one for XP.

> Make BCP38 a security issue in the eyes of the public and giving the
> public the tools to test their ISP themselves. Tickle the non
> compliant ISP in a very soft spot, their marketing
> departments. Security is a checkbox item nowadays remember?

Yes, but not other people's security, only one's own.  I doubt that
many people who tender for connectivity consider the presence of
ingress filtering something worth paying for.

I do have great sympathy with your approach.
Getting more ISPs to implement BCP38 would be very useful.

> We don't have to blacklist or do anything that might inconvience the
> public, all we have to do is make some noise. Once most of the net
> is done then we can take on a blacklist strategy for the remainder.

Get the media interested.  That will be the only thing I can imagine
(short of outright regulation) that will make large providers invest
resources in this.

More information about the dns-operations mailing list