[dns-operations] First experiments with DNS dampening to fight amplification attacks

Michael Hoskins (michoski) michoski at cisco.com
Fri Oct 26 15:16:39 UTC 2012


----Original Message-----

From: paul vixie <paul at redbarn.org>
Date: Friday, October 26, 2012 10:32 AM
To: "Dobbins, Roland" <rdobbins at arbor.net>
Cc: DNS Operations List <dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] First experiments with DNS dampening to
fight amplification attacks

>On 10/26/2012 7:11 AM, Dobbins, Roland wrote:
>> On Oct 26, 2012, at 11:19 AM, paul vixie wrote:
>>
>>> this sounds like a new application of 'the chemical polluter business
>>>model'.
>> There's more to it than that, though.  It's important to understand
>>that those who are purchasing and deploying network gear often are
>>nonspecialists, and so frustrations, project delays, etc. would crop up
>>in the customer organizations - who would then complain vociferously to
>>the network infrastructure vendors and/or simply switch to a vendor
>>which didn't enable anti-spoofing as a default.
>
>i just don't see it. there isn't more to it than that. from the point of
>view of everyone on the connected internet, it is a bad idea to let some
>new person connect some new router that forwards packets, if that person
>is unaware of the s.a.v. issue. if a vendor won't make s.a.v. the
>default because they need the new business and they don't want the
>training burden of making sure they understand the issues of s.a.v.,
>then they are following the 'chemical polluter business model' where the
>money is made "here" and the impact is only felt "over there".

i kinda see both sides, but then i'm not in the argument.  :-)

i think there's a reason OSS (let's forget commercial interests for a
moment) distributions ship with firewalls that have been standard for
years either disabled or running entirely open...  despite many documented
best practices you don't want to keep most systems running that way for
long.  some might even argue narrow windows of time with open firewall
rules allow the determined attacker (or botnet worms) to access available
attack vectors, such that "locking down" hosts as an afterthought doesn't
add much value.

to further the analogy, "new users" are the ones who would be most
confused by a freshly installed OSS distribution that won't connect to
anything...but it doesn't at all negate the necessity of a properly
configured firewall -- especially for new users who might do things like
connect their shiny new laptop to a <insert_favorte_coffee_shop> access
point full of evil hackers and then carry it inside the shroud of
corporate security (this of course isn't limited to OSS, with BYOD and
iWhatzits and droids).

so i appreciate both sides, but i think there's something larger
afoot...human psychology perhaps.  i do plan to raise this (to the best of
my ability) through engineering management and at least start a
discussion.  challenging current norms is always a healthy exercise that
at least gets people thinking.  as mentioned, i came to cisco through
acquisition (like so many others), and am positioned in the security
BU...so i can at least present both sides to folks higher up the food
chain (and smarter than me) then let them make an informed decision.




More information about the dns-operations mailing list