[dns-operations] responding to spoofed ANY queries

Patrick, Robert (CONTR) Robert.Patrick at hq.doe.gov
Sun Jan 13 05:05:02 UTC 2013


I'm looking forward to rate-limiting first included in the main releases of market-leading software implementations, allowing operators to enable defenses without separate patches, and subsequently have those features enabled by default after positive feedback.  We must be able to act as the villagers that took some action to defend against the wild shepherds with sheep run amok in the Commons.

In the grand scheme of our near future, it really wouldn't be that hard for Cisco, Juniper, and a few others to enable uRPF by default on all new model equipment, requiring operators to specifically disable it where necessary, resulting in a significant drop in spoofing, much the same as how some ISPs are preventing outbound SMTP from residential space to clean their networks of SPAM generating sources.  RRL should be implemented in the same fashion for DNS.

Meandering comments follow.

> Abusers will move to the next low-hanging fruit

> In the real world, the phrase covering laws against
> "cybercrime" is "security theater."

+1. Agreed.

> industry self regulation does not prevent shepherds
> from grazing their flocks in the village commons.
> for that class of problem, the solution throughout
> human history has been law.

There are cases where villagers took action against shepherds directly in response to the Commons overrun by flocks, obviating the need of written law until much later.  Written law is an abstract to have a governing body punish others for matters which outmatch an individual's resources.  Better to empower individuals than become too dependent upon overly powerful governing bodies.

> admit that self-regulation by the industry has failed
> to address this matter adequately.

Law doesn't reduce crime to zero, and to listen to some, existing laws don't address matters adequately.  New laws don't necessarily change the balance old laws attempted.  

Given that industry self regulation hasn't reduced spoofing to zero isn't a failure, neither is all law a failure.

The pursuit of happiness, the struggle, is the point.  There is no Utopia to be reached, only strived for.  There will always be takers/abusers and nothing will reduce that to zero.  Murder has been outlawed since Cain and Abel, yet we keep passing new laws trying to stop it.

The Internet works.  Reading this email is proof of that.  Industry self regulation has gotten us a long way, and likely will continue to do so.

The easiest model to review is SPAM.  Email became almost unusable several years ago, and then the industry matured (villagers took action against shepherds, followed later with what amounts to law in some nations, but it's the villagers that are most effective, not law).

Another model to review is the Wild West, and how it's no longer as Wild.  Law alone didn't tame it.

The industry is adapting.  The Internet will continue to work, or a new communication method will rise from the ashes of the old.

> Would you have DHS inspectors checking compliance?
> Would they spot check cages in data centers,
> consumer access routers, and so on and so forth?

That would be as efficient and effective as TSA at airports.

Let's hope the madness ends soon!

--/--



More information about the dns-operations mailing list