----Original Message----- From: paul vixie <[email protected]> Date: Friday, October 26, 2012 10:32 AM To: "Dobbins, Roland" <[email protected]> Cc: DNS Operations List <[email protected]> Subject: Re: [dns-operations] First experiments with DNS dampening to fight amplification attacks
>On 10/26/2012 7:11 AM, Dobbins, Roland wrote: >> On Oct 26, 2012, at 11:19 AM, paul vixie wrote: >> >>> this sounds like a new application of 'the chemical polluter business >>>model'. >> There's more to it than that, though. It's important to understand >>that those who are purchasing and deploying network gear often are >>nonspecialists, and so frustrations, project delays, etc. would crop up >>in the customer organizations - who would then complain vociferously to >>the network infrastructure vendors and/or simply switch to a vendor >>which didn't enable anti-spoofing as a default. > >i just don't see it. there isn't more to it than that. from the point of >view of everyone on the connected internet, it is a bad idea to let some >new person connect some new router that forwards packets, if that person >is unaware of the s.a.v. issue. if a vendor won't make s.a.v. the >default because they need the new business and they don't want the >training burden of making sure they understand the issues of s.a.v., >then they are following the 'chemical polluter business model' where the >money is made "here" and the impact is only felt "over there". i kinda see both sides, but then i'm not in the argument. :-) i think there's a reason OSS (let's forget commercial interests for a moment) distributions ship with firewalls that have been standard for years either disabled or running entirely open... despite many documented best practices you don't want to keep most systems running that way for long. some might even argue narrow windows of time with open firewall rules allow the determined attacker (or botnet worms) to access available attack vectors, such that "locking down" hosts as an afterthought doesn't add much value. to further the analogy, "new users" are the ones who would be most confused by a freshly installed OSS distribution that won't connect to anything...but it doesn't at all negate the necessity of a properly configured firewall -- especially for new users who might do things like connect their shiny new laptop to a <insert_favorte_coffee_shop> access point full of evil hackers and then carry it inside the shroud of corporate security (this of course isn't limited to OSS, with BYOD and iWhatzits and droids). so i appreciate both sides, but i think there's something larger afoot...human psychology perhaps. i do plan to raise this (to the best of my ability) through engineering management and at least start a discussion. challenging current norms is always a healthy exercise that at least gets people thinking. as mentioned, i came to cisco through acquisition (like so many others), and am positioned in the security BU...so i can at least present both sides to folks higher up the food chain (and smarter than me) then let them make an informed decision. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
