[dns-operations] responding to spoofed ANY queries

Paul Vixie paul at redbarn.org
Sun Jan 13 06:05:05 UTC 2013


Patrick, Robert (CONTR) wrote:
> I'm looking forward to rate-limiting first included in the main releases of market-leading software implementations, allowing operators to enable defenses without separate patches, and subsequently have those features enabled by default after positive feedback.  

nevertheless i think it's very cool that the freebsd "ports" maintainer
for BIND9 has made RRL a configurable option.

> There are cases where villagers took action against shepherds directly
> in response to the Commons overrun by flocks, obviating the need of
> written law until much later. Written law is an abstract to have a
> governing body punish others for matters which outmatch an
> individual's resources. Better to empower individuals than become too
> dependent upon overly powerful governing bodies. 

the analogy fails here. on the internet, every network-to-network
connection adds to everybody else's commons. as the founder of MAPS,
which was the first anti-spam company, i could tell you some stories of
exactly why one person's right to swing their fist ends at the point of
another person's chin. but, that would digress.

> ...
> Given that industry self regulation hasn't reduced spoofing to zero isn't a failure, neither is all law a failure.

binary filters (failure or not a failure) aren't useful here. what's
happened is that clouds and virtual hosting have dramatically increased
the attack surface. millions of poorly trained amateurs are now
responsible for "kvm" environment running now-outdated operating systems
and unpatched web servers and unpatched web-app frameworks. by service
definition, the operators of the upstream networks have no insight or
control over what's running. by economics, the operators of these
upstream networks can neither act on complaints, nor monitor outflow,
nor run BCP38 ingress filtering on their customer facing interfaces.
self regulation won't be fixing that. law might.

if all industry self regulation hadn't done was reduce spoofing i'd be
willing to entertain arguments that industry self regulation had not
failed. since what's actually happened is a well capitalized world wide
expansion of gigabit connected spoof generators, i am willing to say
that in this case, industry self regulation has, abjectly, failed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130112/d3a69a4e/attachment.html>

More information about the dns-operations mailing list