[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver Problems
- Subject: Open Resolver Problems
- From: jlewis at lewis.org (Jon Lewis)
- Date: Tue, 26 Mar 2013 22:25:32 -0400 (EDT)
- In-reply-to: <CAEmG1=qgJmvCXg9qvk8RVtURyAWmuQLz7yWraQ4TPUkccPxoLw@mail.gmail.com>
- References: <[email protected]> <[email protected]> <CAEmG1=oXXwHObBcBaRTFTj9-uyq_dFfB4j63LAmKp8Y4hdT+Wg@mail.gmail.com> <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com> <CAEmG1=qgJmvCXg9qvk8RVtURyAWmuQLz7yWraQ4TPUkccPxoLw@mail.gmail.com>
On Tue, 26 Mar 2013, Matthew Petach wrote:
> The concern Valdis raised about securing recursives while still
> being able to issue static nameserver IPs to mobile devices
> is an orthogonal problem to Owen putting rate limiters on
> the authoritative servers for he.net. If we're all lighting up
> pitchforks and raising torches, I'd kinda like to know at which
> castle we're going to go throw pitchforks.
BCP38. As you can see from the wandering conversation, there are many
attack vectors that hinge on the ability to spoof the source address, and
thereby misdirect responses to your DDoS target. BCP38 filtering stops
them all. Or, we can ignore BCP38 for several more years, go on a couple
years crusade against open recursive resolvers, then against
non-rate-limited authoratative servers, default public RO SNMP
communities, etc.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________