[dns-operations] about DNS attack
damian at google.com
Mon Jun 2 20:45:51 UTC 2014
On Mon, Jun 2, 2014 at 6:49 AM, Livingood, Jason <
Jason_Livingood at cable.comcast.com> wrote:
> On 5/30/14, 10:09 PM, "Damian Menscher" <damian at google.com> wrote:
> Attacks at this scale are beyond the capabilities of most
> organizations, so you should always do your part to identify and dismantle
> the botnet infrastructure when possible. Collecting a list of
> participating IPs and notifying their abuse contacts helps.
> ICANN’s SSAC recently released a document on this @
To clear up a potential misinterpretation: I recommend contacting owners of
participating IPs only in cases where those IPs are infected. The
referenced document describes cleaning up open resolvers, and I take the
controversial view that doing so is a fool's errand: even if we're wildly
successful and clean 95% of them, that still leaves a million for the
attackers to abuse, resulting in no practical improvement for the victims.
My preferred approach is to identify and remediate networks that permit
source-address spoofing in violation of BCP38, as there are far fewer
choke-points, and incremental progress makes the attacker's job
progressively more difficult (as they have to find connectivity among a
dwindling set of irresponsible providers).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations