On Tue, 2 Sep 2008, Joe Abley wrote: > Dean, > > On 1 Sep 2008, at 20:57, Dean Anderson wrote: > > > mostly operations people (as opposed to credible engineers)? > > If av8.net starts selling t-shirts, I'll take one with that phrase.
Perhaps a t-shirt should have this quote from Paul Vixie: describing the IETF as "self-selected rabble and trolls" http://www.ietf.org/mail-archive/web/ietf/current/msg25874.html Or later in the same message, Vixie says "it's hard to commit acts of leadership inside a burning movie theatre." Which is just wrong. Its quite easy to commit acts of leadership during an emergency. (the emergency being spam) The problem was that Vixie was himself a spammer, false teaming with anti-spammers and misleading network operators. Of course, there will be no such t-shirt, you are just using the notion of t-shirt to misrepresent something I said. I don't mean to say that network operators aren't credible, as you seem to imply. I definitely appreciate the craft skills very much. But craft skills don't generally imply knowledge of theory and mathematics; actual engineering. I mean that Network operations staff have a history of being easily misled by emotional appeals such as "the war won't be over until the last spammer's head is stuck onto a spear at the city limits."--Paul Vixie, Sept 1997. Although this really fired-up network operations staff, it was later discovered that Vixie was a spammer. Network operations staff however gave Vixie (MAPS/SORBS/SPAMHAUS) anti-spam information on Whitehat's competition, while Whitehat was able to avoid spam-traps; none of this would have been possible without the support of the misled network operations staff. This draft is a similar emotional appeal with insufficient basis in fact of number of attacks, or in theory. > > There is no harm in public resolvers. > > Not to the people running the resolvers, usually, no. There is "usually" no harm to anyone from open resolvers. No one has reported any further attacks since this draft was conceived. I note that there have been no substantive answers to any of the questions I raised, just platitudes and personal attacks. > Has there been any subsequent attacks since the motivating attack was > reported? > > Given that we now have some high-profile DNSSEC test zones (thanks to > David Conrad), there is now no reason at all to use a recursor in a > DDOS attack. One would merely make DNSSEC queries against a > high-profile authority server. > > One can conduct attacks on well-known high-profile authority servers > without the risk of exposure inherent in searching out reflectors. > > And I note that Paul Wouters previously asserted that 100:1 > amplification is a non-issue. If so, then certainly reflector attacks > are also a non-issue for the same reason. > > So, this draft is in search of a problem to solve. However, closing > open recursors may promote the sales of DNS servers to people who > didn't need them before, so I wonder about that. And can we expect to > see people selling 'reflector blacklist' products to ISPs to block DNS > to open recursors, merely because the recursors are open? Will we see > 'reflector blacklist' people scanning for open recursors? -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
