<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Sep 5, 2016 at 12:33 AM, Paul Vixie <span dir="ltr"><<a href="mailto:paul@redbarn.org" target="_blank">paul@redbarn.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Shane Kerr wrote:<br>
...<span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* DNS Gurus become enraged.<br>
<br>
It's that very last step that confuses me.<br>
</blockquote>
<br></span>
let me start from the beginning.<br>
<br>
this kind of continuous low-grade non-kinetic warfare is actually a form of economics. there will be no decisive victory or loss for anybody -- no matter what, the defenders will continue to defend, and the attackers will continue to attack, and each will whenever necessary seek new methods, and each will whenever possible drive their own costs down and benefits up, and/or drive the other's costs up and benefits down.<br>
<br>
when you as a defender block ANY you incur some cost in complexity and time. that cost is less than the attacker's projected costs of changing to some other RR type. (likely a one-line change to their python script.)<br>
<br>
saying that this "works" is self-deceptive.<br>
<br>
recommending that others do likewise is enragingly others-deceptive.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I mean, an attacker can defeat RRL as well, but I don't see repeated<br>
attempts to convince people not to use RRL.<br>
</blockquote>
<br></span>
bypassing RRL is not a one line change to a python script. do the math and use that math to support an economic model that compels some kind of action (or inaction).</blockquote><div><br></div><div>Oooh, I took math and economics in high school! Mind if I turn your argument against you? ;)</div><div><br></div><div>1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or any other record. Enabling RRL doesn't fix this because...</div><div>2) Amplifying off recursive servers rather than authoritative servers bypasses RRL. This is a trivial change for the attacker. Shutting down open recursives isn't economically viable because...</div><div>3) The Open Resolver Project sees well over 10M open recursives. An attacker needs ~10k to launch a successful attack. So we need to shut down 99.9% before they even need to change a line of code. But even then, we've achieved nothing because...</div><div>4) DNS amplification is actually old-school --- the new hotness is amplifying off NTP or SSDP. There are several other protocols as well (and it's likely new ones will continue to be created).</div><div><br></div><div>My proposal passes the math/economics sniff test:</div><div><br></div><div>There are ~500 ASNs that fail to filter spoofed traffic to the internet (due to lack of BCP38 compliance). Most spoofed attacks originate from only a dozen of them. If we get those cleaned, the attackers need to expend effort to find a new network to spoof from. This is a bit harder than changing a script, and gets increasingly difficult for them as we clean up the abusive networks. If we got transit providers on board with caring about the health of the internet rather than the number of octets they carried, they could probably end this discussion in a matter of weeks.</div><div><br></div><div>Damian</div></div></div></div>