[dns-operations] Having doubts about BCP38 solving the ORN problem
marka at isc.org
Sun Mar 31 20:59:55 UTC 2013
In message <Pine.LNX.4.53.1303311221440.20798 at flame.m3047.net>, Fred Morris wri
> I'm sure this must have been discussed at some point, somewhere.
> The premise with regard to BCP38 + open resolvers is that the spoofed
> packets reside on different networks than the resolvers. If these
> resolvers are primarily CPE and other unmaintained equipment, then it
> stands to reason that they reside inside networks containing other
> equipment; and this equipment could be the source of the source-spoofed
> (DNS) packets.
> Reflecting traffic off of an open resolver on one's own network would
> serve to cloak the true identity of the originator.
> BCP38 filtering on egress from the network is ineffective in such
> scenarios because it is based on the assumption that the spoofed packets
> are coming in from outside the network (and hence originated as egress
> from someone else's network).
It still reduces the problem space. The black hats have a smaller set
of reflectors to use and as you close off them off you neutralise the
BCP38 filtering is supposed to be applied as close as possible to the
> If the good guys can map open resolvers, so can the bad guys. (There are
> no "black hat" data scientists?)
> If we know that spoofed port queries are traversing peering points, then
> we know the networks they're coming from. If we don't know that, then see
> above; if we can't shame them, see "Maginot Line".
> Fred Morris
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations