[dns-operations] First experiments with DNS dampening to fight amplification attacks

paul vixie paul at redbarn.org
Fri Oct 26 15:22:11 UTC 2012


On 10/26/2012 3:15 PM, WBrown at e1b.org wrote:
> paul vixie <paul at redbarn.org> wrote on 10/26/2012 10:32:57 AM:
>
>> ... they are following the 'chemical polluter business model' where the
>> money is made "here" and the impact is only felt "over there".
> I'm not an internet routing guru, so I must not be seeing something.  When 
> my organization connects to an upstream provider, they know we have a 
> block of addresses assigned (Actually, we have more than one).  They know 
> that we connect to their switch in rack X, switch Y, port Z.
>
> If they see a packet with a source address of 8.8.8.8 appearing on that 
> port, what possible reason could they have for allowing it through? 

the cost of finding out from you which source ip address ranges are
valid for your interface, programming their routing equipment, dealing
with the error rate inevitable in all human-related systems, and
auditing all of this is measurably non-zero. this is what experienced
providers call a 'one-off'. to the extent that they can make your
interface with what many providers call a 'cookie cutter' -- that is,
all alike -- they will spend measurably less money delivering their
service to you.

> ...
>
> I looked at BCP84/RFC3704, but as a non-networking person, it was brushing 
> the bald-spot. 

the non-networking person version (sometimes called the 'pointy haired
boss version') is called 'SAC004' and was written by me ten years ago
(october 2002):
<http://archive.icann.org/en/committees/security/sac004.txt>.

> I know this is drifting from the list topic, so thank you for the 
> indulgence.

source address validation is very important to dns operations; i don't
consider this thread off-topic.

paul



More information about the dns-operations mailing list