[dns-operations] responding to spoofed ANY queries

David Conrad drc at virtualized.org
Sun Jan 13 00:21:00 UTC 2013


On Jan 12, 2013, at 3:11 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> We just need to admit that self-regulation by the industry has failed
>> to address this matter adequately.
> That statement is wrong and irritating.

While I might agree it is irritating, it is so because it is true. Industry self-regulation has indeed failed.

> The tool is too tempting and potentially effective for too many government
> projects ranging from national hostilities to operations by law
> enforcement against criminals to expect governments to entirely
> support BCP38 or even allow its complete deployment.  This is like
> the prospects for governments and politicians limiting their own spam.

A possibility but I've not yet reached that level of cynicism. I suspect that when there is a sufficient demonstration of the effectiveness of source address spoofing against government or infrastructure targets, laws will suddenly appear that require ISPs to take steps to ensure the traffic they source has appropriate source addresses, just as laws appeared to allow lawful intercept of traffic.

I personally believe it is only a matter of time.

> IP source address forging is like spam.

Not really.  Spam doesn't affect anything except email.  Source address spoofing can affect _anything_ on the Internet.


More information about the dns-operations mailing list