In message <51baa714.9020...@dougbarton.us>, Doug Barton <do...@dougbarton.us> wrote:
>It's obvious you're frustrated (understandable), and enthusiastic >(commendable), but you might want to consider dialing down your >"rhetoric" a bit. Great idea! I have only one small question... Would you be willing to provide me an example to follow? If so, please proceed. >You've had responses from people here who have been >working on this problem for years, Yes. On the order of 13 years it appears. Based on recent reports, I am forced to conclude that the people of whom you speak have not actually managed to solve the problem, even given all that time. > and have a deep understanding of it.* Yes. And that deep understanding has apparently not been successful in resolving the problem, I think. On the other hand, maybe you think that it _has_ been successful in solving the problem. If so, all I can say is that I would hate to see what failure looks like. >Trying to understand what they're telling you, and its implications, >would really help your situation. I understand that you hold the view that it is self-evident that I must not understand something, simply because I do not accept without question the prevailing conventional view of this problem and its possible solutions. I do wonder however if the possibility, however unlikely, ever crossed your mind that perhaps I _do_ actually understand both the problem and the issues, and that I just happen to disagree with the conventional wisdom with respect to these matters, a con- ventional wisdom that, from where I am sitting at least, appears to have so far succeeded in producing absolutely nothing in the way of either a solution or even observable progress over all of the past thirteen years. >>> No. You can still get pretty good amplification with 512 byte responses. >> >> That is an interesting contention. Is there any evidence of, or even any >> reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC >E >> using strictly 512 byte packets? > >You're asking the wrong question. Attackers don't go out of their way to >find open resolvers that they are sure will return 4k packets. That also is an interesting contention. May I ask what the factual basis was for your conclusion here? >The important point being (as others have made to you) that this is not >an EDNS0 issue. Yes, I see that Vernon said that. I continue to await the concrete evidence that supports that view. >It's also worth noting that I realize this wasn't the >main point you were trying to make, Well, that is something anyway. >but it will probably be helpful for >you to get your facts straight. I am happy to have my facts straightened by you, or by anybody else. But not on the basis of hand waving and stern assurances on the part of "experts" when unaccompanied by hard evidence. (I know that my in- sistance on evidence, rather than traditional "appeals to authority", put me in the category of "difficult to work with" in some people's mind, but I would rather be right and make progress, as opposed to, you know, unquestioningly accepting the herd's current conventional wisdow, showing no progress over a long period of time, and being loved.) >> If that's actually a real problem, then I am forced to assume that there >> must have been numerous reliable reports of successful and devastating >> DNS reflection DDoS attacks which pre-dated the widespread adoption of >> EDNS0. > >Again, you're making the wrong argument. As others have pointed out to >you, DNS amplification is just the attack du jour. I wonder of you are familiar with the actual English translation of the term "du jure". I and others who have been attacked in this manner might be inclined to take offense from your making light of the time frame over which these kinds of attacks have been occuring. I assure you that it has been quite a bit more than a single day. In fact it has been closer to ten years. >There is evidence at >the moment that the kiddies are already moving to chargen I believe that the applicable British word is "bollix". I see nothing anywhere on the Internet that amounts to what any reasonable person would call "evidence" to support your contention here. There is a grand total of -one- lone anecdotal report of a recent event involving what someone apparently believed must have been chargen, but even that report is utterly lacking in detail, including especially the most important detail, i.e. whether or not that one (alleged) lone chargen ``attack'' produced anything at all in the way of damage or even noticable hardship on the part of the ``victim''. One swallow does not a summer make. Your contention that "kiddies" (plural) are "moving to chargen", based on one lone anecdotal report appers to me to be more well rooted in hysteria than factual evidence. And hysterial claims do not typically advance a technical discussion, so please let us stick with the facts. (And by the way, I cannot help but observe that your contention that chargen is the next great meance to society is, I'm sorry to say, laughable on the face of it. Please do name all of the operating systems and/or even all of the specific bits of hardare that you believe have shipped with chargen both open and active anytime over the last 15 years. As boogie men to frighten an ill-informed public, I'm sure that dinosaurs do work quite well. In this case however, I think that you may find that it will be difficult to stampede or scare the potatoes out of the general populace by presenting them with the looming specter of scary types of long-extinct attack dinosaurs that have been dead and stiff for over 15 years already.) >>> There is no quick fix. >> >> I will settle for a slow one. > >Then you really want to learn more about response rate limiting I read Vixie's paper. I do apologize for the fact that although I read it and understood it, I reserve the right to disagree that it represents the One, the True, the Only solution to the problem under discussion. I understand and accept that my own personal lack of conventional re- ligious convictions often puts me outside of whatever is considered the "mainstream", but I think that you err when you assume that anyone who is not immediately awestruck by the utter and undeniable brilliance of Vixie's (still pending) "solution" must obviously not have understood it properly. Foreign though it may be to your conception, it is in fact possible to both understand and to simply disagree. But let us be specific. Vixie's as yet unimplemented proposal involves arranging to have machines that might participate in a DNS reflection all voluntarily participate in "rate limiting", which kicks in when when those machines themselves notice that something is amiss. But I would like to call your attention to something that Vernon said just yesterday: >Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1 >at reflectors) are hard even to detect except at the victim. I agree completely with Vernon on the above point. Now, I would simply like to know how Vixie's rate limiting scheme solves this problem. If you can provide an answer to that question, please do proceed. >... but the real answer is still going to be BCP 38... I have two responses to that: 1) Yes, yes, and yes. BCP 38 is clearly the wave of the future, has been for the pst 13 years, and unfortunately perhaps always will be. I agree completely that BCP 38 is a profoundly good *and* a profoundly necessary thing. We have no disagreement about that whatsoever. I merely made a modest suggestion for an idea, a scheme, that could perhaps assist to mitigate DNS reflection attacks in the time period over the _coming_ 13 years, during which we shall all most certainly continue to work, diligently, towards the goal of BCP 38's universal implementation. 2) If indeed BCP 38 is ``the real answer'' then why is anybody wasting any time, energy, or effort implementing, adopting, or even talking about Vixie's rate limiting scheme? John Levine seems to be of the opinion that _any_ work on _any_ scheme or plan or implementation of anything other than BCP 38... presumably with the exception of sleeping, eating, and procreating... is and will be necessarily and inescapably Bad as it will inevitably subtract time, effort, and energy away from what must be the one and only set of goal posts, i.e. the universal deployment of BCP 38. (I am frankly not sure if John is allowing any exceptions to this general rule that he put forward. He made it clear that he thinks that any time spent on _my_ modest proposal would be 100% wasted, but refrained from applying his logic even-handedly also to Vixie's rate limiting scheme which is itself also not BGP 38, and which thus, one would think, should, by John's logic, also and likewise be viewed as an utter waste of time.) >> I am not persuaded that we have even really begun in ernest a process that >> is likely to lead to that result. Almost everybody, even 13 years later, >> is still hoping for, and praying for, some utterly cost-free and pain-free >> solution to drop down out of the sky like mana from heaven. > >Again, you need to become more familiar with the efforts that have been >ongoing for years. Again, I call your attention to what I, and presumably many many other attack victims consider to be a rather salient point, i.e. that despite having worked on the problem for a period already considerably longer than the time it took NASA to put a man on the moon, the folks involved in the "efforts" of which you speak do not seem to have produced anything in the way of tangible results, or even tangible progress against the problem in all that time. Given this record of utter failure on the part of the many illustrious experts who have so far been working the problem, I do not think that it was either unreasonable or unwarranted for me, or for anyone else for that matter, to have tossed another modest little idea into the ring. We could hardly do worse than the illustrious experts have managed to do over all these years. (I do not anticipate that my act of pointing out the nakedness of certain potentates is likely to earn me universal accolades, but then I didn't start this thread for love... at least not the love of anyone here.) If I have been insufficiently clear, perhaps a small graphic illustration will help to clarify my point above: http://i7.photobucket.com/albums/y280/BrannonB/GaryLarsonHumptyDumpty.gif >Mark also made an excellent point about legislation for BCP 38 being an >unfortunate necessity at this point. Please do forgive me as I "misunderstand" again, but my own view is that the excellence, or lack thereof, of Mark's point is at best debatable. Pray tell when is this hypothetical future legislation likely to be arriving on the President's desk? Is the plan to attach it as a rider to the next bit of gun control legislation that is taken up in the House in order to insure its immediate and unanimous passage? (Thank god we have such an efficient, harmonious, and well-functioning Congress. What hope would we have of getting such legislation adopted and sent to the President in the absence of that?) And more to the point, how will adoption of said legislation, even if achieved in our lifetimes, and even if achieved universally throughout all of Europe, the Americas, and Africa, going to affect in any way the network configuration policies of either the South Koreans or, more importantly, the Chinese? Is the plan to simply hold our collective breaths until we either turn blue or the Chinese give in and accept our preferred way of doing things? (That approach seems to have worked out oh so well in the case of Darfur, don't cha think?) Regards, rfg _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
