[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Can we not just fix it? WAS:Re: Open Resolver Problems

On Mar 27, 2013, at 10:11 PM, Michael DeMan <nanog at deman.com> wrote:
> AsI think as we all know the deficiency is the design of the DNS system overall.

One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out around 70 Gbps if I remember correctly. No DNS involved. 

> The fundamental cause and source of failure for these kinds of attacks comes from the the way the DNS (and lets not even get into 'valid' SSL certs) is designed.  

Not really.  You're at least one layer too high.  (not even going to question what "'valid' SSL certs" have to do with the DNS)

> It is fundamentally flawed.  I am sure there were plenty of political reasons for it to have ended up this way instead of being done in a more robust fashion?

I suspect if you look at the number of queries per second the best TCP stacks could handle circa mid-1980s and compare that number to an average UDP stack, you might see an actual reason instead of conspiracy theories.

> For all the gripes and complaints - all I see is complaints of the symptoms and nobody calling out the original cause of the disease?

You mean connectionless datagram transmission without validation of packet source?