Re: [dnsop] two AS112 drafts

Fri, 23 Jun 2006 12:56:03 -0700 

On Wed, 21 Jun 2006, Joe Abley wrote:

> Hi all,
> 
> William Maton and I have prepared two drafts relating to the AS112  
> project:
> 
>    draft-jabley-as112-ops-00

3.3.  Operating System and Host Considerations

   The use of a UNIX or UNIX-like operating system (e.g.  FreeBSD, GNU
   Linux) is recommended for the construction of AS112 nodes, primarily
   due to the cumulative experience of using such platforms for this
   purpose.  Examples in this document will assume use of such an
   operating system.
   [...]

Section 3.3 should removed. Choice of host operating system has no relevance to
DNS operations.  Use of loopback interfaces etc, is likewise irrelevant.


>    draft-jabley-as112-being-attacked-help-help-00

This draft seems to entirely miss the point, and unhelpfully belittles the fact
that AS112 servers may in fact be used (perhaps have already been used) to
conduct DOS attacks.

I have rarely seen IDS systems alarm over genuine DNS traffic to external
servers. The IDS sees the query go out, and the corresponding answer come back. 
 
The IDS has no idea of whether a query to, say 1.1.168.192.in-addr.arpa.  
__ought__ to go out... but would just treat it like any other query. The IDS
only alarms when it starts getting answers for queries that weren't sent.  
Receiving responses to unsent queries is an indication of a real DOS attack.

So, when you start getting calls from admins saying they are under attack from
AS112, you probably should take that more seriously, and assist them, rather
than explaining what AS112 does.  Nothing that AS112 does makes it immune from
involvement in a DOS attack.

> Having been recently in the unenviable position[1] of answering phone  
> calls from angry people regarding the denial-of-service attack from  
> PRISONER.IANA.ORG on their firewalls (source port 53), 

Probably you should have responded differently to their calls: They were
probably legitimate DOS attacks involving AS112 servers.

So, I think the this draft should be dropped. Or, in its place, a draft advising
AS112 to be more helpful in the future.

                --Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   


.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Reply via email to