[dns-operations] correction about RRL leakage

nudge nudgemac at fastmail.fm
Thu Feb 21 18:32:02 UTC 2013

On Wed, Sep 26, 2012, at 07:40 PM, Vernon Schryver wrote:
> A discouraging fact is that rate limiting doesn't help if the bad guy
> uses a list of 100,000 or 1,000,000 servers and only 1 or 0.1 forged
> query/sec.  The only hope is that by the time the bad guys get smart
> and ambitious enough to use millions of reflectors, BCP38 will be so
> common that the sending systems can be found and quenched.

Today I attended a cyber-security conference organised by ICSPA
(International Cyber Security Protection Alliance). All day I heard
presentations by various companies with expertise in this field. DNS was
never mentioned. One presentation was given by the head of
cyber-security for what I believe is the largest ISP in France. I took
the opportunity to ask him what their position was regarding BCP38. He
didn't know what I was talking about (my french is good). When I gave a
brief description of BCP38 he started talking about what they do to
prevent credit card fraud. I tried again but...

Sounds to me like the bad guys still have time to spare.

More information about the dns-operations mailing list