nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: William Allen Simpson <william.allen.simpson () gmail com>
Date: Wed, 28 Jan 2009 18:50:15 -0500
Paul Vixie wrote:
have been able to bind a reputation to an IP address and act in some way based on that reputation because TCP more or less requires that a real IP address be used. we're seeing cracks at the edges of this model now, because so many core routers have login: cisco; password: cisco, and it's now trivial for any spammer to inject BGP that either lights up unallocated space or cuts out a piece of somebody else's allocated block. this makes it possible to very temporarily and untraceably speak TCP from addresses that have no reputation (if they're unallocated) or that have a good reputation (if they're cutouts). ... i've pondered whether a network reputation service based on morality rather than behaviour could possibly work. ... would anyone be willing to deny service to them -- to paint them as having a negative reputation even though their "sin" is laziness or cluelessness rather than malevolent intent? ...
Yes, I've long been an advocate. Heck, the entire community had to take this approach temporarily to slow/stop 2 worms (so far), because the damage was so great that we couldn't operate otherwise. However, I'd argue semantically that this is "behaviour" as well -- under a negligence or attractive nuisance doctrine. My previous solution involved extensive AUPs, but over time I've found AUPs to be almost entirely unenforcible. Action turns out to be very expensive, courts don't understand them, and are reluctant to support the "outsider" ISP over their small business that belongs to the local chamber. I was pleased by community action for de-peering this last year, although it took several years of mounting evidence and national media exposure. Do we need a law?
Current thread:
- Re: cogent issues?, (continued)
- Re: cogent issues? Wil Schultz (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- RE: cogent issues? Ryan Werber (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Florian Weimer (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. William Allen Simpson (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)