[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Sep 5 17:37:47 UTC 2016

On Mon, Sep 05, 2016 at 07:47:25AM -0700, Damian Menscher wrote:

> 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or
> any other record.  Enabling RRL doesn't fix this because...
> 2) Amplifying off recursive servers rather than authoritative servers
> bypasses RRL.  This is a trivial change for the attacker.  Shutting down
> open recursives isn't economically viable because...

It is not difficult to mount DDoS attacks via reflection off
authoritative servers even if they implement RRL.  It is perhaps
wise to not describe how on a public list.

> My proposal passes the math/economics sniff test:
> There are ~500 ASNs that fail to filter spoofed traffic to the internet
> (due to lack of BCP38 compliance).  Most spoofed attacks originate from
> only a dozen of them.  If we get those cleaned, the attackers need to
> expend effort to find a new network to spoof from.  This is a bit harder
> than changing a script, and gets increasingly difficult for them as we
> clean up the abusive networks.  If we got transit providers on board with
> caring about the health of the internet rather than the number of octets
> they carried, they could probably end this discussion in a matter of weeks.

Yes, greater pressure to be BCP38 compliant, assuming it is likely
to yield results, seems like a more productive long-term approach.


More information about the dns-operations mailing list