[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[c-nsp] DNS amplification

Subject: [c-nsp] DNS amplification
From: arturo.servin at gmail.com (Arturo Servin)
Date: Sun, 17 Mar 2013 12:33:01 -0300
In-reply-to: <[email protected]>
References: <CAB_zYdLuMntEdyU=UJgz8saGyA_Cq2-Y-UrM5=XnOPmvJ9=X6w@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]>

	Yes, BCP38 is the solution.

	Now, how widely is deployed?

	Someone said in the IEPG session during the IETF86 that 80% of the
service providers had done it?

	This raises two questions for me. One, is it really 80%, how to measure it?

	Second, if it were 80%, how come the 20% makes so much trouble and how
to encourage it to deploy BCP38?

	(well, actually 4 questions :)

Regards,
as

On 3/16/13 7:24 PM, Jon Lewis wrote:
> On Sat, 16 Mar 2013, Robert Joosten wrote:
> 
>> Hi,
>>
>>>> Can anyone provide insight into how to defeat DNS amplification
>>>> attacks?
>>> Restrict resolvers to your customer networks.
>>
>> And deploy RPF
> 
> uRPF / BCP38 is really the only solution.  Even if we did close all the
> open recursion DNS servers (which is a good idea), the attackers would
> just shift to another protocol/service that provides amplification of
> traffic and can be aimed via spoofed source address packets.  Going
> after DNS is playing whack-a-mole.  DNS is the hip one right now.  It's
> not the only one available.

Follow-Ups:
- [c-nsp] DNS amplification
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- [c-nsp] DNS amplification
  - From: jlewis at lewis.org (Jon Lewis)
- [c-nsp] DNS amplification
  - From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta)

References:
- [c-nsp] DNS amplification
  - From: jlewis at lewis.org (Jon Lewis)

Prev by Date: WW: Bruce Schneier on why security can't work
Next by Date: [c-nsp] DNS amplification
Previous by thread: [c-nsp] DNS amplification
Next by thread: [c-nsp] DNS amplification
Index(es):
- Date
- Thread