[dns-operations] about anti-ddos DNS hostings

Edward Lewis edward.lewis at icann.org
Thu Jun 11 14:28:17 UTC 2015


On 6/11/15, 1:30, "bert hubert" <bert.hubert at netherlabs.nl> wrote:
Quoting :
>Geoff Huston's thinking on ... http://labs.apnic.net/?p=624

(CC'd Geoff in case he's not on this list.)

>Can we shift our
>collective focus back to the common good, and shift our focus away from
>selected potential victims who can afford private protection and instead
>focus on the attacker and the attacks that they carry out?"

In 2013 my personal conclusion was that those that defended themselves
(through principally DNSSEC, over capacity, and anycast) had managed to
become unwitting accomplices with the attackers.  The defenders had
essentially built an attack traffic utility (like an electric utility)
capable of flooding others.  The root cause was the inability to manage
the transport layer UDP.

https://centr.org/system/files/agenda/attachment/tech28-lewis-dns_reflectio
n_attacks-20130603.pdf

It's not just a matter of the rich getting richer and the poor getting
poorer, it's a matter rooted in a technical fault in the architecture of
the system.

I think there's some progress on that line of reasoning...

https://centr.org/system/files/agenda/attachment/rd-koch_mayrhofer-news_tra
nsport_4_dns-20150603.pdf


...as an example of beginning the work on addressing this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150611/a3f7e277/attachment.bin>


More information about the dns-operations mailing list