[dns-operations] blocking recursers
jpv at veldersjes.net
Sat Mar 25 21:21:02 UTC 2006
> Date: Sat, 25 Mar 2006 11:00:35 -1000
> From: Randy Bush <randy at psg.com>
> Subject: Re: [dns-operations] blocking recursers
> >> presume i serve significant, i.e. users will notice if i
> >> reject, zones.
> > are you serving zones as a "tier" 1 (root), 2 (tld) or 3 (rest) ?
> > I'll assume we'll be talking about "tier 3", cause my head would
> > hurt way too much if I'd extrapolate to tier 2 or even 1... ;D
> by your terms 2 and 3
OK, well my reservations about 1 and/or 2 is that they serve a much
more "public function" (not exactly the most non ambiguous term alas).
Thus it would go against the very nature of that service to stop
providing that service to however small a group... :(
> [ ... ]
> but this is not blocking either abusive or potentially abusive
> traffic. the problem is that the abusive traffic, when it comes,
> is not usefully blockable. hence the preemptive coercion, some
> have called it extortion, blocking legitimate traffic in an attempt
> to force social change.
Extortion is something I tie to "for personal gain". This isn't for
personal gain, this is for a "greater good". Social change is an
understatement though. ;) Willfully running an open SMTP relay also
shuts you out from a large part of the Internet, why should
*willfully* running an ORN be any different ?
> [ ... ]
> i think it is a legitimate question to explore the ethiccal and
> legal space of harming in self-defence when self can not show it
> has been attacked.
Well, as a certain someone always shouts "my network, my rules".
Though I do like to add nuances, and you really would like to be able
to verify that a certain IP has been used for malicious / abusive ORN
behaviour, and a way of dealing with that (administration, removal
> [ ... "responsible" ORN behaviour ... ]
> at four in the morning, when the orns are used to generate 5gb
> toward my server, i don't think whether they monitor is gonna be
> responsive enough to suit my needs.
Responsive !~= responsible...
With possible responsible ORN's I could think of some form of ORN run
by people to "bootstrap" unknown remote clients. Just going "well the
DNS .png showed a large spike yesterday afternoon, I might just need
to look at" isn't responsible by a long shot.
> > Doing this as a massive scan (like ORDB, SORBS, etc) however is
> > something I have reservations about.
> because it is invasive? or because it is too vigilante? or ...?
Mainly because of all the fragmentation of those "we're doing this for
the greater good"-clubs in the SMTP world, and everybody just doing
sweeps on netblocks, well, it's chaos at best. Doing it for IP's
contacting you would make me feel a bit easier. ;)
By just talking about taking measures (on "our" ends) against ORN's
we'll probably be already branded as vigilantes ;D
> > But, perhaps you could share some insights as to why you're
> > asking ? ;)
> no hidden agenda. i am trying to think this thing through, and am
> not so self-inflated that i am not interested in the opions of
OK Cool. ;)
One of my questions/ideas is, whether it would be worthwhile to see if
this couldn't "snowball" into a project were ISP's, ops, abuse, cert,
csirt etc couldn collaborate, take charge and see if they can
eradicate these smelly corners from their neighbourhood...
Now, the pro-active folks started scanning their customers for Open
SMTP Relays at some point, far past when the abuse started. We could
try and see if could nip this in the butt, or at least make an effort.
And having a "dns-bl" (pun intended) as a nice rusty nail, well... ;)
More information about the dns-operations