On 18 Jun 2012, at 12:36, Kostas Zorbadelos wrote:
Stephane Bortzmeyer <[email protected]> writes:
If you don't do ingress filtering, it still allows people to attack
your users (they can send from the outside a "ANY ripe.net" query
claiming to be from a local machine).
The same is true if you have open resolvers / forwarders in your
networks (problem CPEs for example) and they accept spoofed queries
from the outside.
What is the proposed mitigation for the ISP caching resolver in
these cases?
Don't do that. :-)
If the attack packets have a format that can easily be filtered to /
dev/null, it should be possible (handwave, handwave!) to make a
firewall or router drop these at the ingress point(s) into your network.
And then go chase the upstream providers who are dumping this crap on
you.
Statements of the bleedin' obvious...
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
