[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Tue, 26 Mar 2013, Matthew Petach wrote:
>> The concern Valdis raised about securing recursives while still
>> being able to issue static nameserver IPs to mobile devices
>> is an orthogonal problem to Owen putting rate limiters on
>> the authoritative servers for he.net.  If we're all lighting up
>> pitchforks and raising torches, I'd kinda like to know at which
>> castle we're going to go throw pitchforks.
> BCP38.  As you can see from the wandering conversation, there are many
> attack vectors that hinge on the ability to spoof the source address, and
> thereby misdirect responses to your DDoS target.  BCP38 filtering stops them
> all.  Or, we can ignore BCP38 for several more years, go on a couple years
> crusade against open recursive resolvers, then against non-rate-limited
> authoratative servers, default public RO SNMP communities, etc.

And I don't plan on being around doing this sort of work in another
10+ years, so let's stop farting around. :-p

- ferg

"Fergie", a.k.a. Paul Ferguson