Re: [dns-operations] correction about RRL leakage
... nudge wrote: > ... > Sounds to me like the bad guys still have time to spare. ya think? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
> From: Jeff Wright > http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF On one hand, it - gets significant bits of history wrong, such as the claim that SSL had nothing to do with authentication and authorization until EV certificates. If confidentiality ("encryption") were the sole point of SSL, then SSL would have gone straight to a DH exchange and done no public key computing. EV would not be a minor elaboration of the old, widely used PKI. (page 15) - urges the use of "DNS Authentication." I guess "DNS authentication [would work] to ensure that source queries to a DNS server ... are in fact coming from a valid host" if you can find and deploy DNS stub resolvers that support DNS authentication and then deploy them. I think that's practically impossible for the forseeable futgure. It might instead be referring to ACLs in servers and relying on IP source addresses as authentication tokens, but that would be almost as lame. (page 6) - advocates naive and so bad query rate limiting and separate NXDOMAIN rate limiting. It should have mentioned RRL. (page 6) - advoctees applying RexEx's and packet capture for no purpose. Looking for text in DNS packets will find lots of it separated by what look like ASCII control characters. Unless you have a specific target, you're unlikely to do more than waste time by manually staring at packets for any port. (page 6) On the other hand, those are all minor nits and mostly reflect my prejudiced and overly strict reading. Overall, I found it innocuous and entertaining. If it seems revolutionary or eye opening and you have relevant responsibilities, then you urgently need more than any such document can offer. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] correction about RRL leakage
On Wed, Sep 26, 2012, at 07:40 PM, Vernon Schryver wrote: ><> > A discouraging fact is that rate limiting doesn't help if the bad guy > uses a list of 100,000 or 1,000,000 servers and only 1 or 0.1 forged > query/sec. The only hope is that by the time the bad guys get smart > and ambitious enough to use millions of reflectors, BCP38 will be so > common that the sending systems can be found and quenched. Today I attended a cyber-security conference organised by ICSPA (International Cyber Security Protection Alliance). All day I heard presentations by various companies with expertise in this field. DNS was never mentioned. One presentation was given by the head of cyber-security for what I believe is the largest ISP in France. I took the opportunity to ask him what their position was regarding BCP38. He didn't know what I was talking about (my french is good). When I gave a brief description of BCP38 he started talking about what they do to prevent credit card fraud. I tried again but... Sounds to me like the bad guys still have time to spare. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
With all due respect to friends at both Arbor and Gartner, this is light weight by their standards and factually wrong on both details and recommendations having to do with DNS rate limiting. --vix Jeff Wright wrote: >Given the recent hubbub over the CloudShield posting, I would be >interested to see what anyone thinks of the following whitepaper. Note >that I have not yet read it, and in any case, I don't count myself as >qualified to comment. But I enjoy reading people's opinions of other >people's opinions...it is educational for me. > >http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF > >Jeff Wright >___ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Another whitepaper on DDOS
Given the recent hubbub over the CloudShield posting, I would be interested to see what anyone thinks of the following whitepaper. Note that I have not yet read it, and in any case, I don't count myself as qualified to comment. But I enjoy reading people's opinions of other people's opinions...it is educational for me. http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF Jeff Wright ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs