[dns-operations] "it's like having a pizza delivered to a friend's house as a prank."
heldal at eml.cc
Thu Mar 23 09:25:45 UTC 2006
On Thu, 23 Mar 2006 09:44:00 +0100, "Pierre Baume" <pierre at baume.org>
> Agreed. But to get there, we need better ways to detect BCP38
True. There are examples of such already
(http://spoofer.csail.mit.edu/). The missing piece is coordination of
the efforts with collection of probe data and making operational
recommendations to partitipants. Probes must somehow be distributed to
end-users. There are many ways. Examples (no specific order or
* Volentary partitipation ("help check your ISP"), but unrelated to
* Include probe with other software distributed on the net (like adware)
* Distribute probe as part of OS upgrades/patches in cooperation with
Some may find these methods intrusive. Still large groups of users
silently accept software (malware) which purpose is less novel than
Besides, data-collection must be able to distinguish real probe-data
from fakes to prevent abuse.
> The infrastructure is there (address and routing registries), but in
> shape, because it's not used enough (at least for this purpose).
> The tools aren't exactly there either. Which NOC will see a red alert
> spoofed traffic shows up, when this part of the traffic is small compared
> the rest?
Probe data will only be seen by hosts set up to receive them.
> How much tweaking will be needed to get there?
> And sure, spoofed traffic can be hard to detect, but this doesn't mean
> none of it can be detected. Specially when attacks last for hours/days.
This isn't about detecting random spoofed packets.
> PS: And of course, in parallel, we could fix UDP so that packets sent in
> either direction have the same size. But that might take longer. ;-)
... besides being a joke, it also misses the fact that spoofing may be
used just to hide the presence of bots with no amplification.
[probably waaay OT for this list by now ... except DNS is imho just
More information about the dns-operations