Re: [dns-operations] correction about RRL leakage
... nudge wrote: > ... > Sounds to me like the bad guys still have time to spare. ya think? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
> From: Jeff Wright
> http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF
On one hand, it
- gets significant bits of history wrong, such as the claim that
SSL had nothing to do with authentication and authorization
until EV certificates. If confidentiality ("encryption") were
the sole point of SSL, then SSL would have gone straight to a
DH exchange and done no public key computing. EV would not be
a minor elaboration of the old, widely used PKI. (page 15)
- urges the use of "DNS Authentication." I guess "DNS authentication
[would work] to ensure that source queries to a DNS server ...
are in fact coming from a valid host" if you can find and deploy
DNS stub resolvers that support DNS authentication and then deploy
them. I think that's practically impossible for the forseeable
futgure. It might instead be referring to ACLs in servers and
relying on IP source addresses as authentication tokens, but that
would be almost as lame. (page 6)
- advocates naive and so bad query rate limiting and separate
NXDOMAIN rate limiting. It should have mentioned RRL. (page 6)
- advoctees applying RexEx's and packet capture for no purpose.
Looking for text in DNS packets will find lots of it separated
by what look like ASCII control characters. Unless you have a
specific target, you're unlikely to do more than waste time by
manually staring at packets for any port. (page 6)
On the other hand, those are all minor nits and mostly reflect
my prejudiced and overly strict reading.
Overall, I found it innocuous and entertaining.
If it seems revolutionary or eye opening and you have relevant
responsibilities, then you urgently need more than any such document
can offer.
Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] correction about RRL leakage
On Wed, Sep 26, 2012, at 07:40 PM, Vernon Schryver wrote: ><> > A discouraging fact is that rate limiting doesn't help if the bad guy > uses a list of 100,000 or 1,000,000 servers and only 1 or 0.1 forged > query/sec. The only hope is that by the time the bad guys get smart > and ambitious enough to use millions of reflectors, BCP38 will be so > common that the sending systems can be found and quenched. Today I attended a cyber-security conference organised by ICSPA (International Cyber Security Protection Alliance). All day I heard presentations by various companies with expertise in this field. DNS was never mentioned. One presentation was given by the head of cyber-security for what I believe is the largest ISP in France. I took the opportunity to ask him what their position was regarding BCP38. He didn't know what I was talking about (my french is good). When I gave a brief description of BCP38 he started talking about what they do to prevent credit card fraud. I tried again but... Sounds to me like the bad guys still have time to spare. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
With all due respect to friends at both Arbor and Gartner, this is light weight by their standards and factually wrong on both details and recommendations having to do with DNS rate limiting. --vix Jeff Wright wrote: >Given the recent hubbub over the CloudShield posting, I would be >interested to see what anyone thinks of the following whitepaper. Note >that I have not yet read it, and in any case, I don't count myself as >qualified to comment. But I enjoy reading people's opinions of other >people's opinions...it is educational for me. > >http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF > >Jeff Wright >___ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Another whitepaper on DDOS
Given the recent hubbub over the CloudShield posting, I would be interested to see what anyone thinks of the following whitepaper. Note that I have not yet read it, and in any case, I don't count myself as qualified to comment. But I enjoy reading people's opinions of other people's opinions...it is educational for me. http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF Jeff Wright ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
