Re: [c-nsp] DNS amplification

[Christopher Morrow <morrowc.lists () gmail com>]

On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.servin () gmail com> wrote:
>         Yes, BCP38 is the solution.
>
>         Now, how widely is deployed?
>
>         Someone said in the IEPG session during the IETF86 that 80% of the
> service providers had done it?

right... sure.

>         This raises two questions for me. One, is it really 80%, how to measure it?

csail had a project for a while... spoofer project?
  <http://spoofer.csail.mit.edu/>

I think the last I looked they reported ONLY 35% or so coverage of
proper filtering. Looking at:
  <http://spoofer.csail.mit.edu/summary.php>

though they report 86% non-spoofable, that seems very high to me.

>         Second, if it were 80%, how come the 20% makes so much trouble and how
> to encourage it to deploy BCP38?

some of the 20% seems to be very highspeed connected end hosts and at
a 70:1 amplification ratio you don't need much bandwidth to fill a 1g
pipe, eh?

-chris

>         (well, actually 4 questions :)
>
> Regards,
> as
>
> On 3/16/13 7:24 PM, Jon Lewis wrote:
> > On Sat, 16 Mar 2013, Robert Joosten wrote:
> >
> > > Hi,
> > >
> > > > > Can anyone provide insight into how to defeat DNS amplification
> > > > > attacks?
> > > > Restrict resolvers to your customer networks.
> > >
> > > And deploy RPF
> >
> > uRPF / BCP38 is really the only solution.  Even if we did close all the
> > open recursion DNS servers (which is a good idea), the attackers would
> > just shift to another protocol/service that provides amplification of
> > traffic and can be aimed via spoofed source address packets.  Going
> > after DNS is playing whack-a-mole.  DNS is the hip one right now.  It's
> > not the only one available.