<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">I'm somewhat surprised that this document makes no mention of DNSSEC / RFC8198 "Aggressive Use of DNSSEC-Validated Cache".</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">As an example, see Petr's presentation @ RIPE76: </div><div class="gmail_default" style="font-family:verdana,sans-serif"><div class="gmail_default">DNSSEC aggressive cache(RFC 8198)</div><div class="gmail_default">Protection from random subdomain attacks</div></div><div class="gmail_default"><font face="verdana, sans-serif"><a href="https://ripe76.ripe.net/presentations/71-RIPE76-presentation-RFC8198.pdf">https://ripe76.ripe.net/presentations/71-RIPE76-presentation-RFC8198.pdf</a></font><br></div><div class="gmail_default"><font face="verdana, sans-serif"><br></font></div><div class="gmail_default"><font face="verdana, sans-serif">W</font></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Nov 2, 2018 at 10:39 PM Renee Burton <<a href="mailto:rburton@infoblox.com">rburton@infoblox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_382088620593532537WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi, <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m a longtime lurker of the mailing list and appreciate the wisdom and occasional debates in these exchanges. I wanted to share with the group a paper a colleague and I released some months ago on Slow Drip
DDOS attacks. I had been waiting for the paper to be hung off of the National Security Agency website, but that hasn’t yet happened, so I’ve decided to just go ahead and send to the mailing list.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This paper shares the findings of a slow drip attack system we called ExploderBot, which is the largest and longest running such system, and a single actor. At this point, it might be OBE as the actor has
been quiet since May 18, 2018, but they might yet pop up again. I wanted to share this because:<u></u><u></u></span></p>
<ul style="margin-top:0in" type="disc">
<li class="m_382088620593532537MsoListParagraph" style="margin-left:0in"><span style="font-size:11.0pt">We heavily leveraged the mailing list archives and learnt a great deal from the DNS operating community during this research – thank you
<u></u><u></u></span></li><li class="m_382088620593532537MsoListParagraph" style="margin-left:0in"><span style="font-size:11.0pt">We do provide packet signatures that provide over 40 bits of check (over 60 if fully done) so that network operators who can do packet filtering could
drop and thwart this actor. <u></u><u></u></span></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There remain a lot of open questions for this actor, but we can leverage what we learnt here to identify and protect against other systems.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Here’s the link to <i>ExploderBot: A Slow Drip System</i>
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="https://www.researchgate.net/publication/328355903_ExploderBot_A_Slow_Drip_System" target="_blank">https://www.researchgate.net/publication/328355903_ExploderBot_A_Slow_Drip_System</a>
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Renée Burton<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Sr. Staff Threat Researcher, Cyber Intelligence<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="mailto:rburton@infoblox.com" target="_blank"><span style="color:#0563c1">rburton@infoblox.com</span></a> |
<a href="http://www.infoblox.com" target="_blank"><span style="color:#0563c1">www.infoblox.com</span></a><u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">DNS is like Othello: “five minutes to learn, a lifetime to master.”<u></u><u></u></span></i></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf</div>