[dns-operations] Storm on the DNS

Paul Vixie paul at redbarn.org
Wed Dec 16 07:28:40 UTC 2015


On Wednesday, December 16, 2015 02:39:40 PM Yonghua Peng wrote:
> Yes all you said are right.
> I know BCP48 is best practice, but very few ISP/IDCs follow this
> standard. So we have no valid way to defend a spoofed IP attack?

since dns is not the only protocol that can act as a reflecting amplifier, the solution to 
spoofing has to be larger than dns. either we stop every edge from allowing spoofed input 
packets:

http://www.redbarn.org/internet/save

or we fix every amplifier in every protocol:

http://queue.acm.org/detail.cfm?id=2578510

noting that "every protocol" includes every tcp responder, which is the whole internet:

http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf

neither solution (source address validation everywhere, or rate limiting everywhere) is 
obviously harder than the other.

absent laws and treaties, we'll have to continue nibbling the corners of this gigantic global 
problem. the internet, like all power tools, contains the seeds of its own destruction and its 
creators' destruction.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151215/29763ef9/attachment.html>


More information about the dns-operations mailing list