[dns-operations] Having doubts about BCP38 solving the ORN problem

[Mark Andrews]

In message <Pine.LNX.4.53.1303311221440.20798 at flame.m3047.net>, Fred Morris wri
tes:
> I'm sure this must have been discussed at some point, somewhere.
> 
> The premise with regard to BCP38 + open resolvers is that the spoofed
> packets reside on different networks than the resolvers. If these
> resolvers are primarily CPE and other unmaintained equipment, then it
> stands to reason that they reside inside networks containing other
> equipment; and this equipment could be the source of the source-spoofed
> (DNS) packets.
> 
> Reflecting traffic off of an open resolver on one's own network would
> serve to cloak the true identity of the originator.
> 
> BCP38 filtering on egress from the network is ineffective in such
> scenarios because it is based on the assumption that the spoofed packets
> are coming in from outside the network (and hence originated as egress
> from someone else's network).

It still reduces the problem space.  The black hats have a smaller set
of reflectors to use and as you close off them off you neutralise the
compromised machines.

BCP38 filtering is supposed to be applied as close as possible to the
traffic sources.
 
> If the good guys can map open resolvers, so can the bad guys. (There are
> no "black hat" data scientists?)
> 
> If we know that spoofed port queries are traversing peering points, then
> we know the networks they're coming from. If we don't know that, then see
> above; if we can't shame them, see "Maginot Line".
> 
> --
> 
> Fred Morris
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org