[dns-operations] about DNS attack

Damian Menscher damian at google.com
Mon Jun 2 20:45:51 UTC 2014

On Mon, Jun 2, 2014 at 6:49 AM, Livingood, Jason <
Jason_Livingood at cable.comcast.com> wrote:

>   On 5/30/14, 10:09 PM, "Damian Menscher" <damian at google.com> wrote:
>   Attacks at this scale are beyond the capabilities of most
> organizations, so you should always do your part to identify and dismantle
> the botnet infrastructure when possible.  Collecting a list of
> participating IPs and notifying their abuse contacts helps.
>  ICANN’s SSAC recently released a document on this @
> https://www.icann.org/en/system/files/files/sac-065-en.pdf

To clear up a potential misinterpretation: I recommend contacting owners of
participating IPs only in cases where those IPs are infected.  The
referenced document describes cleaning up open resolvers, and I take the
controversial view that doing so is a fool's errand: even if we're wildly
successful and clean 95% of them, that still leaves a million for the
attackers to abuse, resulting in no practical improvement for the victims.
 My preferred approach is to identify and remediate networks that permit
source-address spoofing in violation of BCP38, as there are far fewer
choke-points, and incremental progress makes the attacker's job
progressively more difficult (as they have to find connectivity among a
dwindling set of irresponsible providers).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140602/cd2af5a1/attachment.html>

More information about the dns-operations mailing list