[dns-operations] responding to spoofed ANY queries

Vernon Schryver vjs at rhyolite.com
Sat Jan 12 23:11:14 UTC 2013

> From: Florian Weimer <fw at deneb.enyo.de>

> > The problem is amplification.
> No, the actual problem is source address spoofing.


> > It can only be mitigated.
> The spoofing problem could be mitigated if we actually wanted to, and
> were willing to punish those who try to send their pollution to the
> rest of the network.
> We just need to admit that self-regulation by the industry has failed
> to address this matter adequately.

That statement is wrong and irritating.

Neither the UN, ITU, U.S. Department Homeland Security, nor any other
mechanism could improve the "self-regulation by the industry" situation.
The UN/ITU is impotent except when its dictums are enforced by local
governments; there are no blue helmeted netcops in the foreseeable
future.  There are too many jurisdictions that don't enforce too 
many real world norms to rely on law enforcement organizations.

If state actors have not been forging IP header source fields, they
will.  Blunt force denial of service by flooding of a few well known
commercial outfits is not the only use for forged IP headers.  The
tool is too tempting and potentially effective for too many government
projects ranging from national hostilities to operations by law
enforcement against criminals to expect governments to entirely
support BCP38 or even allow its complete deployment.  This is like
the prospects for governments and politicians limiting their own spam.

The best we can hope for is "more self-regulation by the industry"
in the form of slowly increasing ingress filtering and ultimately the
de-peering of networks that are too obviously problems.  Even that
ultimate stage wouldn't stop forged IP source addresses.  There will
always be boxes on the wrong sides of filters that will be used for
DNS reflection and other bad conduct.

IP source address forging is like spam.  An occassional exceptionally
stupid and irritating spammer is fined or sent to jail and the SMTP
equivalents of network egress filtering keeps individual mailboxes
useful.  (BCP38 is ingress filtering.)

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list