[dns-operations] blocking recursers

JP Velders jpv at veldersjes.net
Sat Mar 25 21:21:02 UTC 2006 

> Date: Sat, 25 Mar 2006 11:00:35 -1000
> From: Randy Bush <randy at psg.com>
> Subject: Re: [dns-operations] blocking recursers

> >> presume i serve significant, i.e. users will notice if i
> >> reject, zones.

> > are you serving zones as a "tier" 1 (root), 2 (tld) or 3 (rest) ?
> > I'll assume we'll be talking about "tier 3", cause my head would
> > hurt way too much if I'd extrapolate to tier 2 or even 1... ;D

> by your terms 2 and 3

OK, well my reservations about 1 and/or 2 is that they serve a much 
more "public function" (not exactly the most non ambiguous term alas).
Thus it would go against the very nature of that service to stop 
providing that service to however small a group... :(

> [ ... ]
> but this is not blocking either abusive or potentially abusive
> traffic.  the problem is that the abusive traffic, when it comes,
> is not usefully blockable.  hence the preemptive coercion, some
> have called it extortion, blocking legitimate traffic in an attempt
> to force social change.

Extortion is something I tie to "for personal gain". This isn't for 
personal gain, this is for a "greater good". Social change is an 
understatement though. ;) Willfully running an open SMTP relay also 
shuts you out from a large part of the Internet, why should 
*willfully* running an ORN be any different ?

> [ ... ]
> i think it is a legitimate question to explore the ethiccal and
> legal space of harming in self-defence when self can not show it
> has been attacked.

Well, as a certain someone always shouts "my network, my rules". 
Though I do like to add nuances, and you really would like to be able 
to verify that a certain IP has been used for malicious / abusive ORN 
behaviour, and a way of dealing with that (administration, removal 
etc.).

> [ ... "responsible" ORN behaviour ... ]
> at four in the morning, when the orns are used to generate 5gb
> toward my server, i don't think whether they monitor is gonna be
> responsive enough to suit my needs.

Responsive !~= responsible...
With possible responsible ORN's I could think of some form of ORN run 
by people to "bootstrap" unknown remote clients. Just going "well the 
DNS .png showed a large spike yesterday afternoon, I might just need 
to look at" isn't responsible by a long shot.

> > Doing this as a massive scan (like ORDB, SORBS, etc) however is
> > something I have reservations about.

> because it is invasive?  or because it is too vigilante?  or ...?

Mainly because of all the fragmentation of those "we're doing this for 
the greater good"-clubs in the SMTP world, and everybody just doing 
sweeps on netblocks, well, it's chaos at best. Doing it for IP's 
contacting you would make me feel a bit easier. ;)

By just talking about taking measures (on "our" ends) against ORN's 
we'll probably be already branded as vigilantes ;D

> > But, perhaps you could share some insights as to why you're
> > asking ? ;)

> no hidden agenda.  i am trying to think this thing through, and am 
> not so self-inflated that i am not interested in the opions of 
> others.

OK Cool. ;)

One of my questions/ideas is, whether it would be worthwhile to see if 
this couldn't "snowball" into a project were ISP's, ops, abuse, cert, 
csirt etc couldn collaborate, take charge and see if they can 
eradicate these smelly corners from their neighbourhood...

Now, the pro-active folks started scanning their customers for Open 
SMTP Relays at some point, far past when the abuse started. We could 
try and see if could nip this in the butt, or at least make an effort.
And having a "dns-bl" (pun intended) as a nice rusty nail, well... ;)

> randy

Kind regards,
JP Velders

More information about the dns-operations mailing list