[dns-operations] Amplification attack today ?

[Michael Monnerie]

On Freitag, 2. März 2007 16:13 Paul Vixie wrote:
> it would have to be done by bgp blackholes rather than dns
> blackholes.  and since it's a public service rather than a real time
> operational shield, there could be a simple rotation of "1000 at a
> time", perhaps changed every hour or every day.

It should be at least a day (better more), lots of small companies here 
don't have quick support, they would just wonder why they can't work 
for one hour. That's quicker than most external IT support companies 
have as reaction time to look at the customers servers.

> > I am ready to dismiss this idea.
> as a rootop, so am i.  but as an operator of the vix.com server, i'd
> be willing to consider it.  on the internet, there is no growth
> without pain.

That's what I mean. It has to be transported over media into the admins 
ears and brains, that you will be blacklisted if your DNS setup is 
crap. Today it's clear to most admins that your mailserver is gonna be 
blacklisted when it's an open relay, but that didn't come because 
admins are more clever now (it's more the opposite ;-), it came because 
of blacklists. 

And when there are problems because of bad DNS configs, somebody has to 
step on the admins toes. I'm not a DNS guru, and I'm sure somebody will 
have a good idea of how to do it. It's just - somebody should start 
with it :-)

mfg zmi
-- 
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0676/846 914 666                      .network.your.ideas.
// PGP Key:        "curl -s http://zmi.at/zmi4.asc | gpg --import"
// Fingerprint: EA39 8918 EDFF 0A68 ACFB  11B7 BA2D 060F 1C6F E6B0
// Keyserver: www.keyserver.net                   Key-ID: 1C6FE6B0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070302/2e399abf/attachment.sig>