[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

[David Conrad]

Paul,
On September 6, 2016 at 1:48:05 AM, Paul Vixie (paul at redbarn.org) wrote:

you're doing far more work blocking ANY than the attacker 
would have to do to switch to a different qtype. 
"Far more"? Isn't the expense of this "work" on the part of the defenders already a sunk cost? DNS software implementers have implemented and operators that care have already deployed the code, no?

If I understand the ecosystem, for the attacker to switch to another qtype, the attacker has to either have the knowledge and access to the attacking code or wait for the attacker's "vendor" to modify the code and deploy the modified code across the constellation of zombies. 

Also, as Jim has pointed out, forcing the attackers to move from ANY means a reduction in the efficiency (however slight) of their attacks, forcing them to expend more work for the same effect.

Seems to me the edge on this round is in the defender's camp.

in the unending game 
play of cybercat and cybermouse, that means you lose the current round. 
The joy of arms races is that there are always more rounds.

blocking ANY is just silly. 

Meh. It's a primitive tool: sort of like a rock one might use to beat back a rabid ferret. You don't expect it to cure rabies, but it can get the immediate job done in a pinch.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160906/68fd58b9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Message signed with OpenPGP using AMPGpg
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160906/68fd58b9/attachment.sig>