>>>>> "Dean" == Dean Anderson <[EMAIL PROTECTED]> writes:
>> The fact that something else is a *bigger* risk, doesn't have
>> any bearing on whether the first thing is a risk.
Dean> Yes, it really does. Especially if the bad guy doesn't have
Dean> to even change his source code to get more bang for his
Dean> botnet, and doesn't incur any more risk. In fact, using
Dean> authority servers is _less_ risk to the abuser, because to
Dean> compose the reflector attacks, s/he has to crack into a
Dean> server, craft a record, and search 3.7 million IP addresses
Dean> for a list of reflectors. All of these things leave a
Dean> forensic trail. Any one of which might lead back to the bad
Dean> guy.
Dean> By contrast, searching authority servers for, say, large SPF
Dean> records isn't suspicious. There is no trail besides the
Dean> botnet, which is necessary for either case. Authority
Dean> servers give more bang and less risk, and same code and
Dean> payload size. One must presume the attacker a complete idiot
Dean> to make the open reflectors attack look attractive.
I have to agree with Dean on the specific point that analyzing related
risks to determine whether one problem is worth fixing is actually
important in doing security work. Fixing a problem has a cost--both
in implementation and inconvenience. If other related risks reduce
the value of that fix,then the cost may not be justified.
So, to the extent that Dean is trying to encourage that sort of
analysis here, I think it is very good.
At this time, I make no comment on the rest of his message or on
whether his technical analysis of this issue is in fact correct.
Sam Hartman
Security Area Director
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
