[dns-operations] Storm on the DNS
Paul Vixie
paul at redbarn.org
Wed Dec 16 07:28:40 UTC 2015
On Wednesday, December 16, 2015 02:39:40 PM Yonghua Peng wrote:
> Yes all you said are right.
> I know BCP48 is best practice, but very few ISP/IDCs follow this
> standard. So we have no valid way to defend a spoofed IP attack?
since dns is not the only protocol that can act as a reflecting amplifier, the solution to
spoofing has to be larger than dns. either we stop every edge from allowing spoofed input
packets:
http://www.redbarn.org/internet/save
or we fix every amplifier in every protocol:
http://queue.acm.org/detail.cfm?id=2578510
noting that "every protocol" includes every tcp responder, which is the whole internet:
http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
neither solution (source address validation everywhere, or rate limiting everywhere) is
obviously harder than the other.
absent laws and treaties, we'll have to continue nibbling the corners of this gigantic global
problem. the internet, like all power tools, contains the seeds of its own destruction and its
creators' destruction.
--
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151215/29763ef9/attachment.html>
More information about the dns-operations
mailing list