yes, we are adding value. George Michaelson wrote: > ... > > I think sending a stronger message about uRPF type defences, and asking other > people to look at spoof source is better.
i thought this in 2002. that's why i wrote <http://archive.icann.org/en/committees/security/sac004.txt>. been there, done that, traveled nearly 1M air miles and talked to everybody i met on every stage i was on. total result: squat. we've been overwhelmed by new "cloud" virtual servers running unpatched web apps. the bad guys have more firepower than ever, and most virtual hosting providers can't afford the manpower to either patch customer systems, handle complaints, or block spoofed-source attack flows. (those that try are probably bought out by those who don't, due to the difference in their profit margins.) so let me tell you from experience, what you're asking for is not better than complexifying DNS. more below. > Sometimes it pays to recognise you can't solve a problem, and look to who > can. ... we did that. see above. now we have to look to who actually will, or would, among others who can. that translates to those whose real ip addresses are revealed to victims. that means the amplifiers. we have never gained ground on those whose real ip addresses are not revealed during attacks, and we have for outside cause lost ground there. now we have to do what can be done, which means finding someone who can act whose identity is revealed and who can therefore hear complaints and who can also act. i'd rather fix this at the source, but failing that, _and we have in fact failed_, all we can do is fix the amplifiers. > ... > We're in a world where the goal is to answer questions, quickly and > accurately. The fixes are beginning to look like major attacks on that > fundamental. i think we need to hold a world wide "kiss simplicity goodbye" festival. because from now on all recursive name servers will have to be ACL'd, and all authority name servers will have to be RRL'd. there's no going back. paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
