[dns-operations] responding to spoofed ANY queries

Mark Andrews marka at isc.org
Sat Jan 12 23:55:59 UTC 2013 

In message <201301122311.r0CNBEdd082905 at calcite.rhyolite.com>, Vernon Schryver writes:
> > From: Florian Weimer <fw at deneb.enyo.de>
> 
> > > The problem is amplification.
> >
> > No, the actual problem is source address spoofing.
> 
> ok.
> 
> > > It can only be mitigated.
> >
> > The spoofing problem could be mitigated if we actually wanted to, and
> > were willing to punish those who try to send their pollution to the
> > rest of the network.
> >
> > We just need to admit that self-regulation by the industry has failed
> > to address this matter adequately.
> 
> That statement is wrong and irritating.
> 
> Neither the UN, ITU, U.S. Department Homeland Security, nor any other
> mechanism could improve the "self-regulation by the industry" situation.
> The UN/ITU is impotent except when its dictums are enforced by local
> governments; there are no blue helmeted netcops in the foreseeable
> future.  There are too many jurisdictions that don't enforce too 
> many real world norms to rely on law enforcement organizations.

Governments can require ISP's implement BCP 38 on customer connections
along with compliance audits, random spot checks etc.  One of the main
reason ISP's site for not doing BCP 38 is that it puts them at a
competive disavantage.  Such regulation would remove the competive
disavantage excuse.

> If state actors have not been forging IP header source fields, they
> will.  Blunt force denial of service by flooding of a few well known
> commercial outfits is not the only use for forged IP headers.  The
> tool is too tempting and potentially effective for too many government
> projects ranging from national hostilities to operations by law
> enforcement against criminals to expect governments to entirely
> support BCP38 or even allow its complete deployment.  This is like
> the prospects for governments and politicians limiting their own spam.

But they do limit UCE, some more than others.  Governments are
in a position to influence other governments.

> The best we can hope for is "more self-regulation by the industry"
> in the form of slowly increasing ingress filtering and ultimately the
> de-peering of networks that are too obviously problems.  Even that
> ultimate stage wouldn't stop forged IP source addresses.  There will
> always be boxes on the wrong sides of filters that will be used for
> DNS reflection and other bad conduct.
> 
> IP source address forging is like spam.  An occassional exceptionally
> stupid and irritating spammer is fined or sent to jail and the SMTP
> equivalents of network egress filtering keeps individual mailboxes
> useful.  (BCP38 is ingress filtering.)
> 
> 
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list