Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Danny McPherson wrote: > > On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote: > > > > I find this hard to believe from three standpoints: > > > > 1) the expected number of open DNS recursors and their collective > > bandwidth doesn't seem to be large enough to support a 40Gbps attack. > > Really? With trivial amplification vectors 20 low-speed broadband > connected bots can generate nearly 1.5 Gbps of attack traffic. It isn't the case that many open recursors are on low-speed broadband connections; That is a residential service, while recursors are usually run by businesses or ISPs, which changes a number of things. I also suppose you expect that 20 * 384kbps * 100x = 1.5Gbps. (384kbs upload speed) (100x amplification factor) The error in your estimate is that you assume if there are bots to send demand, that there are recursors to handle the load. This just isn't the case. The estimate is an ideal maximum, assuming a lot of things are true that aren't true. For example, one never has ideal bandwidth available to any host. And one must still have enough recursors to can handle the offered load. But there aren't enough recursors to provide the load. There are only about 20k or so recursors, and most don't sit on high bandwidth connections. Many don't support EDNSO, so can't get more than about 10x amplification, anyway. Most businesses and ISPs would probably soon notice their participation in a DDOS attack due to their own bandwidth consumption and block the (spoofed) source address without damage as a result of the block, or an upstream carrier would block the spoofed source, also without collateral damage. Furthermore, its relatively easy to change the IP address of a recursor. Abusers need to keep scanning. > So, that'd put you around 500 or so bots, and any number of open > resolvers, to generate such an attack, which is low-hanging fruit > these days. Really? Recursors are "low hanging fruit'? By what measure? > Of course, the reported amplification vector was higher > than this, the number of bots lowers. Higher than what? You can't get more than about 100x from DNS under ideal conditions. > > 2) Why would anyone capble of programming bother searching for open > > recursors (with often small connection speeds) when they can use 100+ > > root servers with large amplification factors and high bandwidth > > connections at key exchange points? > > We'll leave that an exercise for the reader... Let's not, since its important to consider the alternatives available to the attacker and the costs of this proposal. Significantly, the abuser has an option that doesn't expose them to discovery by their scanning efforts, and the other attack isn't very easy to mitigate. It doesn't require the effort of scanning, or of distributing a payload of recursors to the bots. Quite a lot easier to do. This seems to make the other attack much more attractive. Something about low-hanging fruit??? > > 3) Why aren't these attacks being prosecuted? Someone searching for > > open recursors is bound to be noticed. The only people I know of > > searching for open recursors is UltraDNS and a scientific group at > > Cornell. > > Searching for open recursors and launching an attack are > two entirely different things. Yes. One must precede the other. Scanning comes first. And abusers need to keep scanning, which puts them at a disadvantage for this attack. > And launching spoofed-based attacks makes finding the attacking > sources more difficult. And given that they're most always botted, > you then have to find a C&C, and then an attacker stepping stone, > etc.., etc., No need for rehashes of this here, methinks. Finding the C&C for a botnet that must keep scanning to conduct abuse should be easier than for a botnet that doesn't need to scan. You find the person scanning and you found the person involved in the C&C. Also, one doesn't need to find the attacking source with recursor abuse. Its a very mitigatable attack. Just like open proxy abuse, one can usually block the recursor without collateral damage. Significantly, one can't easily mitigate the other attack (ala DNSSEC responses) of roots, TLDs, major domain's authority servers. Blocking authority servers generally does significant damage; roots, TLDs, major domains in particular can't be blocked. > > I'll wait to see the report. It will also be interesting to find out > > who was surveyed. If it turns out to be primarilly NANOG (the source > > of > > the original reports), I'll be more dubious. > > No, there's quite a wide distribution of responses, but mostly > *OG types in various regions. Ahh. Figured as much. > > Mr. McPherson is > > associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 > > people have attended more NANOG meetings than Mr. McPherson. > > Interesting tidbit, I had no idea. Useless, but interesting :-) Useless to you perhaps. Not so useless to everyone. But its
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: > > On 2 Sep 2008, at 13:43, Dean Anderson wrote: > > > Really? Your position is that there are attacks but all these attacks > > are somehow being kept secret? People talked about ping floods, syn > > floods, and an uncountable slew of other attacks. Incredible. > > My point is that there are a large number of distributed denial of > service attacks happening every day, on a scale large enough to > involve multiple providers and cross-organisational teams for > mitigation. > > When new attack techniques emerge, sometimes they make the news. The > fiftieth DNS reflection attack on any particular day, years after the > technique was first described, is unlikely to be newsworthy. The fact > that alarm bells are not sounding in the streets doesn't mean that > people continue to work to mitigate such attacks, however, nor that > such attacks no longer happen. Significant problems are always newsworthy, or at least discussion-worthy on various network forums that I do monitor. There has been no further discussion of these attacks since the two very small motivating attacks were discussed on NANOG some time ago. I don't see any evidence that there have been more than two such attacks. > The existence of closed, operational forums for the discussion and > mitigation of denial of service attacks is no great secret to > operators. If you're unaware, and you're an operator, feel free to > drop me a private note. I would be very happy to let you know about > the subscription procedures and attendant vetting by peers that would > be required for you to participate (at least, in the forums I am aware > of). I imagine discussions of your applicability would be > entertaining. I never said the existance of forums were secret. Indeed, the genuine forums are usually for coordination between major carriers' operations groups, and so are only appropriate to the operations employees of those few major carriers. The rest of the (somewhat dubious) forums are groups more or less like blackhat; groups basically training bad guys and/or sharing techniques amoung bad guys, or else amoung dilettantes. Because I am not currently employed in the operations department of a large major carrier myself, I would be unable to actually mitigate any in-progess attacks. Moreover, I've always worked for major carriers in engineering, not operations. So I can't imagine why I would ever want to be in genuine forum, nor would I want to be in any dubious forum. I note that you aren't employeed by any of the major carriers, either. In anycase, I doubt that I would need your assistance with any application. However, not participating in the actual mitigation efforts doesn't mean that attacks aren't discussed post-mortem. These discussions are usually more widespread and are more public. But you have no evidence of such discussion, nor evidence of any actual attacks whatsoever after the motivating attacks. > At a higher level, you seem to be seeking some measure of proof > regarding the existence of something. My aim was not to provide proof > of anything, since as far as I know this is not a court of law, a > philosophy class nor a distillery. Apologies if that was not clear. I guessed that your aim was not to provide proof of your assertions. However, for your claims to be credible, there needs to be some evidence that this is a problem that needs to be solved, that the costs are justified. You have no evidence of there being a problem and your claims are not credible because of the lack of evidence. The costs imposed on legitimate open recursors are unjustified. > > If these attacks were indeed happening, someone, somewhere would be > > talking about specific attacks. > > And my point is that they are. Your point is that you don't believe > me. I might make the point that I don't care who believes me. > Regardless, I will continue not to lose sleep. The people who don't believe you won't lose sleep either when we collectively decide you don't have a genuine problem to be solved, or don't have any evidence of a genuine problem. > >>> And I was serious about the t-shirt, if the price is reasonable. > >>> XXL, > >> thanks. > > > > Then you should know that this isn't a proper forum to be soliciting > > me > > about t-shirts. > > Shame. Perhaps someone else will do the right thing and start selling > av8 t-shirts with such pithy catchphrases, given your documented lack > of interest in exploiting this no-doubt lucrative opportunity. Then I guess they'll learn about the law on trademark infringement. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSKEY / multiprecision number format? (fwd)
> If someone could forward this to DNSEXT WG, I would appreciate it. > > Thanks, > > --Dean > > -- Forwarded message -- > Date: Sat, 30 Aug 2008 23:14:44 -0400 (EDT) > From: Dean Anderson <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: DNSKEY / multiprecision number format? > > I'm wondering how the exponent and modulus are stored in a DNSKEY record > for RSASHA1. RFC3110 just makes some vague references to where things > go, but does not define their precise format: > > exponent length 1 or 3 octets (see text) > exponent as specified by length field > modulus remaining space The numbers are in network byte order. > The format of large binary numbers is never specified in RFC3110, and no > standard exists that I can find. I notice that BIND tools just use the > openssl library calls bn2bin, which produces an undefined and > non-standardized openssl format. GMP and presumably other > multiprecision libraries have their own format. GMP's mpz_import > function has a number of parameters for importing from different binary > multiprecision number formats: > > count, > order, > size, > endian, > nails > > http://gmplib.org/manual/Integer-Import-and-Export.html#Integer-Import-and-Ex > port > "The parameters specify the format of the data. /count/ many words are > read, each /size/ bytes. order can be 1 for most significant word > first or -1 for least significant first. Within each word /endian/ can > be 1 for most significant byte first, -1 for least significant first, > or 0 for the native endianness of the host CPU. The most significant > /nails/ bits of each word are skipped, this can be 0 to use the full > words. " As for any integer in network byte order, "count, 1, 1, 1, 0". > The only one that can be inferred from an instance of an DNSKEY RR is > count. > > So, can anyone say what the remaining 4 parameters should be for DNSKEY > and other DNSSEC records? > > Is there an RFC that defines these parameters? > > Thanks, > > --Dean > > > -- > Av8 Internet Prepared to pay a premium for better service? > www.av8.net faster, more reliable, better service > 617 344 9000 > > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I think we may have a solution - DNSCurve
> On Mon, Sep 01, 2008 at 04:49:12PM -0400, > Paul Wouters <[EMAIL PROTECTED]> wrote > a message of 18 lines which said: > > > many issues there which are not addressed [...] authenticated denial > > of existence, > > Although I agree with your criticism that there is no published > *specification* of DNScurve (wether in Internet-Draft form or else), > this specific issue seems addressed today: DNScurve signs the packet, > not the resource records, and therefore a NXDOMAIN response can be > signed (unlike what happens with DNSSEC). A NXDOMAIN response if cyptographically proved with DNSSEC. There are other rcodes that DNSSEC does not cover but NXDOMAIN is not one of them. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Dean Anderson wrote: > > A useful > technique for scan detection is a non-production special "server". > Scanners show up in the logs; no one else does. Dnscache, BIND, and > PowerDNS all have necessary the logging capabilities. > > http://en.wikipedia.org/wiki/Honeypot_(computing) - Kevin ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [dns-operations] Signed .cz zone
http://img.nic.cz/nic_bg_hlavicka_en.gif')"> Firefox complains about insecure content. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
> 2) Why would anyone capble of programming bother searching for open > recursors (with often small connection speeds) when they can use 100+ > root servers with large amplification factors and high bandwidth > connections at key exchange points? Because there are much better amplification factors available than those you can produce using the root servers. The roots still only send unfragmented UDP responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I think we may have a solution - DNSCurve
Bert, On Aug 31, 2008, at 1:34 PM, bert hubert wrote: > Technically, this may be true - but I got into trouble over an AES- > based > random generator, even though it does not encrypt any user supplied > data. Back when I was trying to get an early version of BIND shipped with RSA BSAFE (around the turn of the century), I got hung up with lawyers (coincidentally enough, including the same lawyer DJB used for his lawsuit against the US government over cryptography and the lawyer who wrote one of the books lawyers used to use for export-related matters) trying to figure out if we needed to get a license from the US government to export "munitions". Our approach was to point out repeatedly that DNSSEC provided authentication only and not encryption (and try to ignore Rivest's "Chaffing and Winnowing" paper). After about a year of fruitless discussion with the Bureau of Export Administration, the USG changed their policy and allowed exports with a self-declared license for the stuff we were doing. > It does create problems though. Not having looked at this (or consulted a lawyer), I would guess things would probably be much more complicated today given the current political situation as well as the fact that DNSCurve actually does do encryption. But that would only be a guess... Regards, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] Signed .cz zone
Hello all, we have signed .cz on Sep 1st 2008. Key can be found at https://www.nic.cz/dnssec/ (bottom of the page). EPP interface for registering DS RRsets will be launched on Sep 30 2008. Please report any errors (hope there are none) or sugestions to my address. Regards, -- Ondřej Surý technický ředitel/Chief Technical Officer - CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:[EMAIL PROTECTED] http://nic.cz/ sip:[EMAIL PROTECTED] tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 - ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote: > > I find this hard to believe from three standpoints: > > 1) the expected number of open DNS recursors and their collective > bandwidth doesn't seem to be large enough to support a 40Gbps attack. Really? With trivial amplification vectors 20 low-speed broadband connected bots can generate nearly 1.5 Gbps of attack traffic. So, that'd put you around 500 or so bots, and any number of open resolvers, to generate such an attack, which is low-hanging fruit these days. Of course, the reported amplification vector was higher than this, the number of bots lowers. > 2) Why would anyone capble of programming bother searching for open > recursors (with often small connection speeds) when they can use 100+ > root servers with large amplification factors and high bandwidth > connections at key exchange points? We'll leave that an exercise for the reader... > 3) Why aren't these attacks being prosecuted? Someone searching for > open > recursors is bound to be noticed. The only people I know of searching > for open recursors is UltraDNS and a scientific group at Cornell. Searching for open recursors and launching an attack are two entirely different things. And launching spoofed-based attacks makes finding the attacking sources more difficult. And given that they're most always botted, you then have to find a C&C, and then an attacker stepping stone, etc.., etc., No need for rehashes of this here, methinks. > I'll wait to see the report. It will also be interesting to find out > who was surveyed. If it turns out to be primarilly NANOG (the source > of > the original reports), I'll be more dubious. No, there's quite a wide distribution of responses, but mostly *OG types in various regions. > Mr. McPherson is > associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 > people have attended more NANOG meetings than Mr. McPherson. Interesting tidbit, I had no idea. Useless, but interesting :-) -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I think we may have a solution - DNSCurve
On Mon, Sep 01, 2008 at 04:49:12PM -0400, Paul Wouters <[EMAIL PROTECTED]> wrote a message of 18 lines which said: > many issues there which are not addressed [...] authenticated denial > of existence, Although I agree with your criticism that there is no published *specification* of DNScurve (wether in Internet-Draft form or else), this specific issue seems addressed today: DNScurve signs the packet, not the resource records, and therefore a NXDOMAIN response can be signed (unlike what happens with DNSSEC). ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On 2 Sep 2008, at 13:43, Dean Anderson wrote: > Really? Your position is that there are attacks but all these attacks > are somehow being kept secret? People talked about ping floods, syn > floods, and an uncountable slew of other attacks. Incredible. My point is that there are a large number of distributed denial of service attacks happening every day, on a scale large enough to involve multiple providers and cross-organisational teams for mitigation. When new attack techniques emerge, sometimes they make the news. The fiftieth DNS reflection attack on any particular day, years after the technique was first described, is unlikely to be newsworthy. The fact that alarm bells are not sounding in the streets doesn't mean that people continue to work to mitigate such attacks, however, nor that such attacks no longer happen. The existence of closed, operational forums for the discussion and mitigation of denial of service attacks is no great secret to operators. If you're unaware, and you're an operator, feel free to drop me a private note. I would be very happy to let you know about the subscription procedures and attendant vetting by peers that would be required for you to participate (at least, in the forums I am aware of). I imagine discussions of your applicability would be entertaining. At a higher level, you seem to be seeking some measure of proof regarding the existence of something. My aim was not to provide proof of anything, since as far as I know this is not a court of law, a philosophy class nor a distillery. Apologies if that was not clear. > If these attacks were indeed happening, someone, somewhere would be > talking about specific attacks. And my point is that they are. Your point is that you don't believe me. I might make the point that I don't care who believes me. Regardless, I will continue not to lose sleep. >>> And I was serious about the t-shirt, if the price is reasonable. >>> XXL, >> thanks. > > Then you should know that this isn't a proper forum to be soliciting > me > about t-shirts. Shame. Perhaps someone else will do the right thing and start selling av8 t-shirts with such pithy catchphrases, given your documented lack of interest in exploiting this no-doubt lucrative opportunity. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] DNSKEY / multiprecision number format? (fwd)
If someone could forward this to DNSEXT WG, I would appreciate it. Thanks, --Dean -- Forwarded message -- Date: Sat, 30 Aug 2008 23:14:44 -0400 (EDT) From: Dean Anderson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: DNSKEY / multiprecision number format? I'm wondering how the exponent and modulus are stored in a DNSKEY record for RSASHA1. RFC3110 just makes some vague references to where things go, but does not define their precise format: exponent length 1 or 3 octets (see text) exponent as specified by length field modulus remaining space The format of large binary numbers is never specified in RFC3110, and no standard exists that I can find. I notice that BIND tools just use the openssl library calls bn2bin, which produces an undefined and non-standardized openssl format. GMP and presumably other multiprecision libraries have their own format. GMP's mpz_import function has a number of parameters for importing from different binary multiprecision number formats: count, order, size, endian, nails http://gmplib.org/manual/Integer-Import-and-Export.html#Integer-Import-and-Export "The parameters specify the format of the data. /count/ many words are read, each /size/ bytes. order can be 1 for most significant word first or -1 for least significant first. Within each word /endian/ can be 1 for most significant byte first, -1 for least significant first, or 0 for the native endianness of the host CPU. The most significant /nails/ bits of each word are skipped, this can be 0 to use the full words. " The only one that can be inferred from an instance of an DNSKEY RR is count. So, can anyone say what the remaining 4 parameters should be for DNSKEY and other DNSSEC records? Is there an RFC that defines these parameters? Thanks, --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Danny McPherson wrote: > On Sep 2, 2008, at 9:47 AM, Joe Abley wrote: > >> > >> There is "usually" no harm to anyone from open resolvers. No one has > >> reported any further attacks since this draft was conceived. > > > > That is not true. It's possible that the forums in which such attacks > > are discussed are not available to you, of course. I say that not as > > some kind of thinly-veiled attack, but merely as an observation that > > security ops forums tend not to be public. > > I'd note that this 2008 Infrastructure Security Survey collection > is about done, and the largest reported attack over the past > 12 months was just north of 40 Gbps (yes, I meant to type "forty") > and employed DNS-based reflective amplification vectors. > > Others reported these attacks well above 10 Gbps in the past > 12 months as well.. > > Report to be publish in next month or two. I find this hard to believe from three standpoints: 1) the expected number of open DNS recursors and their collective bandwidth doesn't seem to be large enough to support a 40Gbps attack. 2) Why would anyone capble of programming bother searching for open recursors (with often small connection speeds) when they can use 100+ root servers with large amplification factors and high bandwidth connections at key exchange points? 3) Why aren't these attacks being prosecuted? Someone searching for open recursors is bound to be noticed. The only people I know of searching for open recursors is UltraDNS and a scientific group at Cornell. I'll wait to see the report. It will also be interesting to find out who was surveyed. If it turns out to be primarilly NANOG (the source of the original reports), I'll be more dubious. Mr. McPherson is associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 people have attended more NANOG meetings than Mr. McPherson. Comparing NANOG participation with ARIN membership shows that NANOG makes up a very small portion of internet service providers. NANOG has also been the scene for other deceptions of the internet community. See http://www.iadl.org/nanog/nanog-story.html for more information. Perhaps what is needed is a clearinghouse for reporting and stopping DNS scanners; besides preventing abuse, such a clearinghouse could be useful in identifying and prosecuting the abusers. Scan detection and abuse complaint is what drove open relay abusers out of business. A useful technique for scan detection is a non-production special "server". Scanners show up in the logs; no one else does. Dnscache, BIND, and PowerDNS all have necessary the logging capabilities. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: > > On 2 Sep 2008, at 11:04, Dean Anderson wrote: > > >>> There is no harm in public resolvers. > >> > >> Not to the people running the resolvers, usually, no. > > > > There is "usually" no harm to anyone from open resolvers. No one has > > reported any further attacks since this draft was conceived. > > That is not true. It's possible that the forums in which such attacks > are discussed are not available to you, of course. I say that not as > some kind of thinly-veiled attack, but merely as an observation that > security ops forums tend not to be public. Really? Your position is that there are attacks but all these attacks are somehow being kept secret? People talked about ping floods, syn floods, and an uncountable slew of other attacks. Incredible. If these attacks were indeed happening, someone, somewhere would be talking about specific attacks. > > I note that there have been no substantive answers to any of the > > questions I raised, just platitudes and personal attacks. > > Oh, I didn't notice any questions. In any case, I was only responding > to what I saw as factual errors. But you don't have any factual counter-evidence to offer to refute the alleged factual errors. Incredible. > And I was serious about the t-shirt, if the price is reasonable. XXL, > thanks. Then you should know that this isn't a proper forum to be soliciting me about t-shirts. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Anycast was Re: Cache poisoning on DNSSEC
On 2 Sep 2008, at 02:57, Dean Anderson wrote: > >>> Are your resolvers public? >> Of course not, I think there is a paper floating around here that >> this >> is a bad idea ;-). > > Surprisingly, that paper is promoted by the same people promoting > Anycast DNS... There is no harm in public resolvers. actually, the paper was done on request by the dnsop wg, with a clear content charter put together by the wg chairs based on input from the wg. The editors were just the means to bring the paper into existence. Joao ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Sep 2, 2008, at 9:47 AM, Joe Abley wrote: >> >> There is "usually" no harm to anyone from open resolvers. No one has >> reported any further attacks since this draft was conceived. > > That is not true. It's possible that the forums in which such attacks > are discussed are not available to you, of course. I say that not as > some kind of thinly-veiled attack, but merely as an observation that > security ops forums tend not to be public. I'd note that this 2008 Infrastructure Security Survey collection is about done, and the largest reported attack over the past 12 months was just north of 40 Gbps (yes, I meant to type "forty") and employed DNS-based reflective amplification vectors. Others reported these attacks well above 10 Gbps in the past 12 months as well.. Report to be publish in next month or two. -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On 2 Sep 2008, at 11:04, Dean Anderson wrote: >>> There is no harm in public resolvers. >> >> Not to the people running the resolvers, usually, no. > > There is "usually" no harm to anyone from open resolvers. No one has > reported any further attacks since this draft was conceived. That is not true. It's possible that the forums in which such attacks are discussed are not available to you, of course. I say that not as some kind of thinly-veiled attack, but merely as an observation that security ops forums tend not to be public. > I note > that there have been no substantive answers to any of the questions I > raised, just platitudes and personal attacks. Oh, I didn't notice any questions. In any case, I was only responding to what I saw as factual errors. And I was serious about the t-shirt, if the price is reasonable. XXL, thanks. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: > Dean, > > On 1 Sep 2008, at 20:57, Dean Anderson wrote: > > > mostly operations people (as opposed to credible engineers)? > > If av8.net starts selling t-shirts, I'll take one with that phrase. Perhaps a t-shirt should have this quote from Paul Vixie: describing the IETF as "self-selected rabble and trolls" http://www.ietf.org/mail-archive/web/ietf/current/msg25874.html Or later in the same message, Vixie says "it's hard to commit acts of leadership inside a burning movie theatre." Which is just wrong. Its quite easy to commit acts of leadership during an emergency. (the emergency being spam) The problem was that Vixie was himself a spammer, false teaming with anti-spammers and misleading network operators. Of course, there will be no such t-shirt, you are just using the notion of t-shirt to misrepresent something I said. I don't mean to say that network operators aren't credible, as you seem to imply. I definitely appreciate the craft skills very much. But craft skills don't generally imply knowledge of theory and mathematics; actual engineering. I mean that Network operations staff have a history of being easily misled by emotional appeals such as "the war won't be over until the last spammer's head is stuck onto a spear at the city limits."--Paul Vixie, Sept 1997. Although this really fired-up network operations staff, it was later discovered that Vixie was a spammer. Network operations staff however gave Vixie (MAPS/SORBS/SPAMHAUS) anti-spam information on Whitehat's competition, while Whitehat was able to avoid spam-traps; none of this would have been possible without the support of the misled network operations staff. This draft is a similar emotional appeal with insufficient basis in fact of number of attacks, or in theory. > > There is no harm in public resolvers. > > Not to the people running the resolvers, usually, no. There is "usually" no harm to anyone from open resolvers. No one has reported any further attacks since this draft was conceived. I note that there have been no substantive answers to any of the questions I raised, just platitudes and personal attacks. > Has there been any subsequent attacks since the motivating attack was > reported? > > Given that we now have some high-profile DNSSEC test zones (thanks to > David Conrad), there is now no reason at all to use a recursor in a > DDOS attack. One would merely make DNSSEC queries against a > high-profile authority server. > > One can conduct attacks on well-known high-profile authority servers > without the risk of exposure inherent in searching out reflectors. > > And I note that Paul Wouters previously asserted that 100:1 > amplification is a non-issue. If so, then certainly reflector attacks > are also a non-issue for the same reason. > > So, this draft is in search of a problem to solve. However, closing > open recursors may promote the sales of DNS servers to people who > didn't need them before, so I wonder about that. And can we expect to > see people selling 'reflector blacklist' products to ISPs to block DNS > to open recursors, merely because the recursors are open? Will we see > 'reflector blacklist' people scanning for open recursors? -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Anycast was Re: Cache poisoning on DNSSEC
Dean, On 1 Sep 2008, at 20:57, Dean Anderson wrote: > mostly operations people (as opposed to credible engineers)? If av8.net starts selling t-shirts, I'll take one with that phrase. > There is no harm in public resolvers. Not to the people running the resolvers, usually, no. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
