Re: DNS attacks evolve

[Paul Vixie <vixie () isc org>]

jgreco () ns sol net (Joe Greco) writes:

> I am very, very, very disheartened to be shown to be wrong.  As if 8 days
> wasn't bad enough, a concentrated attack has been shown to be effective in
> 10 hours.  See http://www.nytimes.com/2008/08/09/technology/09flaw.html

that's what theory predicted.  guessing a 30-or-so-bit number isn't "hard."

> With modern data rates being what they are, I believe that this is still a
> severe operational hazard, and would like to suggest a discussion of further
> mitigation strategies.
> ...

i have two gripes here.  first, can we please NOT use the nanog@ mailing
list as a workshop for discussing possible DNS spoofing mitigation
strategies?  namedroppers () ops ietf org already has a running gun battle
on that topic, and dns-operations () lists oarci net would be appropriate.

but unless we're going to talk about deploying BCP38, which would be the
mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog@.

second, please think carefully about the word "severe".  any time someone
can cheerfully hammer you at full-GigE speed for 10 hours, you've got some
trouble, and you'll need to monitor for those troubles.  11 seconds of
10MBit/sec fit my definition of "severe".  10 hours at 1000MBit/sec doesn't.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.