> From: Florian Weimer <[email protected]> > > Emergency patches against ANY to last for a day or two for lack of > > other available tools can make good sense--for a day or so. But > > spending any long term effort on ANY queries in this context is the > > same "thinking" that brought us SPF as the final ultimate solution > > to the spam problem (FUSSP), because as we all "knew," spam requires > > forged senders. > > But unlike spam, these attacks require spoofed source addresses.
Was I really that unclear? Of course forged IP source addresses are a critical part of DNS reflection DoS attacks, just as "bulk" is a critical part of spam. My point is that it is necessary to pay attention to the necessary aspects of the problem and deal with those instead of trivial efforts against the current wrapping paper. >From the history of obvious bogus spam FUSSPs such as the many variations of "email authentication" and the "prove mail sender is a human" unsolicited bulk email (spam) sent to uninvolved third parties, I predict that the next "solution" to DNS reflection attacks after the current "disable AUTHORITY and ADDITIONAL sections" and "disable ANY" will be "disable DNSSEC." Solutions analogous to "know your customer before allowing outgoing bulk connections to TCP port 25" such as "disable or restrict open recursive DNS servers to known users" or even "install response rate limiting DNS software" (not to mention BCP 38) are resisted as too hard. The saving grace is that the monetary rewards for allowing DNS reflection attacks aren't as large as those for allowing unsolicited bulk email. > Perhaps it's time to admit defeat, call our legislators, and suggest > that they mandate source address validation by service providers. Speaking of easier non-solutions that would not only not solve the problem but create worse problems ... On the other hand, if service providers were liable for damages caused by forged IP source addresses (or forged SMTP envelopes) ... Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
