[dns-operations] "it's like having a pizza delivered to a friend's house as a prank."

Per Heldal heldal at eml.cc
Thu Mar 23 09:25:45 UTC 2006 

On Thu, 23 Mar 2006 09:44:00 +0100, "Pierre Baume" <pierre at baume.org>
[snip]
> 
>   Agreed. But to get there, we need better ways to detect BCP38
> non-compliance.

True. There are examples of such already
(http://spoofer.csail.mit.edu/). The missing piece is coordination of
the efforts with collection of probe data and making operational
recommendations to partitipants. Probes must somehow be distributed to
end-users. There are many ways. Examples (no specific order or
recommendation):

* Volentary partitipation ("help check your ISP"), but unrelated to
anything else

* Include probe with other software distributed on the net (like adware)

* Distribute probe as part of OS upgrades/patches in cooperation with
vendor

Some may find these methods intrusive. Still large groups of users
silently accept software (malware) which purpose is less novel than
this. 

Besides, data-collection must be able to distinguish real probe-data
from fakes to prevent abuse.

> 
>   The infrastructure is there (address and routing registries), but in
>   bad
> shape, because it's not used enough (at least for this purpose).
> 
>   The tools aren't exactly there either. Which NOC will see a red alert
>   when
> spoofed traffic shows up, when this part of the traffic is small compared
> to
> the rest? 

Probe data will only be seen by hosts set up to receive them.

> How much tweaking will be needed to get there?
> 
>   And sure, spoofed traffic can be hard to detect, but this doesn't mean
> none of it can be detected. Specially when attacks last for hours/days.

This isn't about detecting random spoofed packets.

> 
> Pierre.
> 
> PS: And of course, in parallel, we could fix UDP so that packets sent in
> either direction have the same size. But that might take longer. ;-)

... besides being a joke, it also misses the fact that spoofing may be
used just to hide the presence of bots with no amplification.


[probably waaay OT for this list by now ... except DNS is imho just
another victim]

//per
-- 
  Per Heldal
  http://heldal.eml.cc/

More information about the dns-operations mailing list