[dns-operations] First experiments with DNS dampening to fight amplification attacks

P Vixie paul at redbarn.org
Fri Oct 26 02:38:43 UTC 2012


Roland, I'm not asking that source address validation be hardwired. Merely the default. I don't think any of us want new operators forwarding packets even in disconnected networks if they don't understand these issues. Let the default for new routers be s.a.v. and I don't expect much trouble. Leave the default as is and I'll expect linear trouble with growth.   Paul

"Dobbins, Roland" <rdobbins at arbor.net> wrote:

>
>On Oct 26, 2012, at 12:48 AM, paul vixie wrote:
>
>> until cisco makes source address validation the default
>
>Unfortunately, neither Cisco nor any other network infrastructure
>vendor will do this absent some fundamental breakthrough in
>anti-spoofing mechanisms, because there are too many topological
>situations in which the primary existing mechanism (uRPF, ACLs) can
>induce overblocking.
>
>-----------------------------------------------------------------------
>Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>	  Luck is the residue of opportunity and design.
>
>		       -- John Milton
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121025/c9f5fb50/attachment.html>


More information about the dns-operations mailing list