[dns-operations] blocking recursers

Randy Bush randy at psg.com
Thu Mar 23 17:27:29 UTC 2006


> [IANAL] Legally, even if it were a RFC with status Total
> Standard, I'm not sure it would be a solid basis, legally
> speaking. RFC are not laws.

i agree that the existence of an rfc which says orns are bad
practice does not have the weight of law.

my issue is in the opposite direction.  without such an rfc, if
i take preemptive action against an orn, the orn operator would
seem to have a legitimate claim to have done nothing wrong.

> As I wrote, I believe it would not be very ethical to do it
> *today* because few system administrators were exposed to the
> risks of ORNs and to the good practice of limiting recursion.

while my inclination is to agree, a few more multi-gig attacks
and my sympathy for the uneducated may be seriously diluted.

> IMHO, we should do information and propaganda, not
> arm-twisting, for a while.

where 'while' may be greatly shortened if attacks continue.

with open smtp servers, it is an effective tactic to block them
when they start to actually do damage.  

with reflective attacks via orns, this is not a viable defense,
as the ddos consumes your bandwidth.  hence, if one believes
that shutting orns is needed, it has to be done in advance,
before they are actually used in an attack.  thus my use of the
term 'preemptive'.

> After a suitable period of information and education time, I
> believe a TLD administrator has the right to blacklist, with
> due process

i am trying to suggest that supporting standards are part of
that due process.  and, due to the large lead time, stamina,
and tolerance for foolishness required to get an rfc in place,
some folk with more tolerance for the above than i might start
now.

randy




More information about the dns-operations mailing list