[dns-operations] First experiments with DNS dampening to fight amplification attacks

Mark Andrews marka at isc.org
Fri Oct 26 01:33:13 UTC 2012


In message <97CF47CD-7815-489E-BD6B-BC14FB2B3646 at arbor.net>, "Dobbins, Roland" 
writes:
> 
> On Oct 26, 2012, at 12:48 AM, paul vixie wrote:
> 
> > until cisco makes source address validation the default
> 
> Unfortunately, neither Cisco nor any other network infrastructure vendor will
>  do this absent some fundamental breakthrough in anti-spoofing mechanisms, be
> cause there are too many topological situations in which the primary existing
>  mechanism (uRPF, ACLs) can induce overblocking.

We essentially have the infrastructure to do this today.  We have
certs for address delegations.  They can be used to sign server
certs which can then sign "I will be sourcing from these prefixes"
anouncements which can in turn let correct authenticated source
address filters be produced.  This would cover most end site
requirements.

> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
> 	  Luck is the residue of opportunity and design.
> 
> 		       -- John Milton
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list