[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver Problems
- Subject: Open Resolver Problems
- From: fergdawgster at gmail.com (Paul Ferguson)
- Date: Tue, 26 Mar 2013 19:37:05 -0700
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]> <CAEmG1=oXXwHObBcBaRTFTj9-uyq_dFfB4j63LAmKp8Y4hdT+Wg@mail.gmail.com> <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com> <CAEmG1=qgJmvCXg9qvk8RVtURyAWmuQLz7yWraQ4TPUkccPxoLw@mail.gmail.com> <[email protected]>
On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jlewis at lewis.org> wrote:
> On Tue, 26 Mar 2013, Matthew Petach wrote:
>
>> The concern Valdis raised about securing recursives while still
>> being able to issue static nameserver IPs to mobile devices
>> is an orthogonal problem to Owen putting rate limiters on
>> the authoritative servers for he.net. If we're all lighting up
>> pitchforks and raising torches, I'd kinda like to know at which
>> castle we're going to go throw pitchforks.
>
>
> BCP38. As you can see from the wandering conversation, there are many
> attack vectors that hinge on the ability to spoof the source address, and
> thereby misdirect responses to your DDoS target. BCP38 filtering stops them
> all. Or, we can ignore BCP38 for several more years, go on a couple years
> crusade against open recursive resolvers, then against non-rate-limited
> authoratative servers, default public RO SNMP communities, etc.
>
And I don't plan on being around doing this sort of work in another
10+ years, so let's stop farting around. :-p
- ferg
--
"Fergie", a.k.a. Paul Ferguson
fergdawgster(at)gmail.com