nanog mailing list archives

Re: Open Resolver Problems

From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 26 Mar 2013 19:37:05 -0700

On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jlewis () lewis org> wrote:

On Tue, 26 Mar 2013, Matthew Petach wrote:

The concern Valdis raised about securing recursives while still
being able to issue static nameserver IPs to mobile devices
is an orthogonal problem to Owen putting rate limiters on
the authoritative servers for he.net.  If we're all lighting up
pitchforks and raising torches, I'd kinda like to know at which
castle we're going to go throw pitchforks.



BCP38.  As you can see from the wandering conversation, there are many
attack vectors that hinge on the ability to spoof the source address, and
thereby misdirect responses to your DDoS target.  BCP38 filtering stops them
all.  Or, we can ignore BCP38 for several more years, go on a couple years
crusade against open recursive resolvers, then against non-rate-limited
authoratative servers, default public RO SNMP communities, etc.


And I don't plan on being around doing this sort of work in another
10+ years, so let's stop farting around. :-p

- ferg

-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Chris Adams (Mar 26)
    - Re: Open Resolver Problems Owen DeLong (Mar 26)
    - Re: Open Resolver Problems Doug Barton (Mar 26)
    - Re: Open Resolver Problems Owen DeLong (Mar 26)
    - Re: Open Resolver Problems joel jaeggli (Mar 26)
    - Re: Open Resolver Problems John Levine (Mar 26)
    - Re: Open Resolver Problems Matthew Petach (Mar 26)
    - Re: Open Resolver Problems Tom Paseka (Mar 26)
    - Re: Open Resolver Problems Matthew Petach (Mar 26)
    - Re: Open Resolver Problems Jon Lewis (Mar 26)
    - Re: Open Resolver Problems Paul Ferguson (Mar 26)
    - Re: Open Resolver Problems Alain Hebert (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
    - Re: Open Resolver Problems Mark Andrews (Mar 26)
    - Re: Open Resolver Problems Paul Ferguson (Mar 26)
    - Re: Open Resolver Problems Mark Andrews (Mar 26)
    - Re: Open Resolver Problems William Herrin (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems William Herrin (Mar 27)

(Thread continues...)