[dns-operations] Storm on the DNS

Mark Andrews marka at isc.org
Tue Dec 8 22:19:22 UTC 2015


We should be leveraging the existing work like bcp38.info.

CPE border routers should be filtering non locally sourced packets
so that compromised internal machines don't get to spew traffic
onto the Internet.  This will be more important for IPv6 as many
NAT boxes NAT everything turning spoofed traffic into source
identifiable traffic whereas in IPv6 it won't be.

Yes, CPE border routers also get compromised.

We should be pushing for legislation that requires vendors to publish
known flaws that allow a system to be taken over and also require
vendors to publish free fixes for those compromises for at least
10 years from last customer shipment.  This ship and forget mentality
has to be stopped.  Reasonable time frames also need to be specified.
There also has to be a free way to report a flaw.  

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list